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The Hitchhiker’s Guide to Online Anonymity 


(Or “How | learned to start worrying and love privacy anonymity”) 
Version 1.1.3, January 2022 by Anonymous Planet 
IMPORTANT RECOMMENDATION FOR UKRAINIANS. BAXKIIUBA PEKOMEHDALIA OA YKPAIHLIIB 


This guide is a work in progress. While | am doing the best | can to correct issues, inaccuracies, and improve the content, general 
structure, and readability; it will probably never be “finished”. 
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mistakes. Please do not take this guide as a definitive gospel or truth because it is not. Mistakes have been written in the guide in 
earlier versions and fixed later when discovered. There are likely still some mistakes in this guide at this moment (hopefully few). 
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Your experience may vary. Remember to check regularly for an updated version of this guide. 
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>> For mirrors see Appendix A6: Mirrors 

>> For help in comparing versions see Appendix A7: Comparing versions 
Feel free to submit issues (please do report anything wrong) using GitHub Issues at: https://github.com/AnonyPla-ng/thgtoa/issues 
Feel free to come to discuss ideas at: 

>> GitHub Discussions: https://github.com/AnonyPla-ng/thgtoa/discussions 

>> Rules for our chatrooms: https://privacy-security-anonymity.github.io/chatrooms-rules/ 

>> Matrix/Element Room: #anonymity:matrix.org https://matrix.to/#/#anonymity:matrix.org 


>> Matrix Space regrouping several rooms with similar interests: #privacy-security-anonymity:matrix.org 
https://matrix.to/#/#privacy-security-anonymity:matrix.org. 
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>> Twitter at https://twitter.com/AnonyPla (deleted) |e"! (cannot guarantee this account will stay up for long tho) 
>> Mastodon at https://mastodon.social/@anonypla (deleted). 
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There are several ways you could read this guide: 


==> You want to understand the current state of online privacy and anonymity not necessarily get too technical about it: Just read the 
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A final editorial note sections. 


>> You want to do the above but also learn how to remove some online information about you: Just read the above and add the Removing 
some traces of your identities on search engines and various platforms. 


>> You want to do the above and create online anonymous identities online safely and securely: Read the whole guide. 


Precautions while reading this guide and accessing the various links: 





>> Documents/Files have a [Archive.org] link next to them for accessing content through Archive.org for increased privacy and in case 
the content goes missing. Some links are not yet archived or outdated on archive.org in which case | encourage you to ask for a new 
save if possible. 
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hosted in the Netherlands) for increased privacy. It is recommended to use these links when possible. See https://github.com/iv- 
org/invidious !4'Ch've-org] for more information. 


>> Twitter links have a [Nitter] link next to them for accessing content through a Nitter Instance (in this case nitter.net) for increased 
privacy. It is recommended to use these links when possible. See https://github.com/zedeus/nitter !4""'Ve-0'S] for more information. 


>> Wikipedia links have a [Wikiless] link next to them for accessing content through a Wikiless Instance (in this case Wikiless.org) for 


increased privacy. It is recommended to use these links when possible. See https://codeberg.org/orenom/wikiless !4"C"'ve-0r9] for more 
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recommended to use these links when possible. See https://scribe.rip/ A"°"'V-0'S] for more information. 


>> If you are reading this in PDF or ODT format, you will notice plenty of ~* in place of double quotes (“”). These ©’ are there to ease 
conversion into Markdown/HTML format for online viewing of code blocks on the website. 


If you do not want the hassle and use one of the browsers below, you could also just install the following extension on your browser: 


https://github.com/SimonBrazell/privacy-redirect Archive.org]. 
>> Firefox: https://addons.mozilla.org/en-US/firefox/addon/privacy-redirect/ 


>> Chromium-based browsers (Chrome, Brave, Edge): https://chrome.google.com/webstore/detail/privacy- 
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Hub (https://en.wikipedia.org/wiki/Sci-Hub kiless] [Archive.org]) or LibGen (https://en.wikipedia.org/wiki/Library_Genesis !V'kiless] 


[Archive.org}) for finding and reading them. Because Science should be free. All of it. If you are faced with a paywall accessing some 
resources, consider using https://12ft.io/. 


Finally note that this guide does mention and even recommends various commercial services (such as VPNs, CDNs, e-mail providers, 
hosting providers...) but is not endorsed or sponsored by any of them in any way. There are no referral links and no commercial ties 
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Pre-requisites and limitations: 


Pre-requisites: 
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>> Be a permanent resident in Germany where the courts have upheld up the legality of not using real names on online platforms (§13 VI 


of the German Telemedia Act of 20071’). Alternatively, be a resident of any other country where you can confirm and verify the 
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>> This guide will assume you already have access to some (Windows/Linux/macOS) laptop computer (ideally not a work/shared device) 
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>> Have patience as this process could take several weeks to complete if you want to go through all the content. 
==> Have some free time on your hands to dedicate to this process (or a lot depending on the route you pick). 
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skip them either). 


>> Don’t be evil (for real this time)°. 


Limitations: 
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>> Creating machine accounts of any kind (bots). 
=> Creating impersonation accounts of existing people (such as identity theft). 
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harassment, bullying...). 


>> Use by minors. 
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Making a social media account with a pseudonym or artist/orand name is easy. And it is enough in most use cases to protect your identity as 
the next George Orwell. There are plenty of people using pseudonyms all over 





Facebook/Instagram/Twitter/LinkedIn/Tik Tok/Snapchat/Reddit/... But the vast majority of those are anything but anonymous and can easily 
be traced to their real identity by your local police officers, random people within the OSINT° ((@)el=latretelelcexom ianc=)ilelsyaler-p meve)anlaalelaliavamrelare 


trolls° on 4chan’. 


This is a good thing as most criminals/trolls are not tech-savvy and will usually be identified with ease. But this is also a terrible thing as most 
political dissidents, human rights activists and whistleblowers can also be tracked rather easily. 


This guide aims to provide an introduction to various de-anonymization techniques, tracking techniques, ID verification techniques, and 
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also help you improve your privacy and security even if you are not interested in anonymity. There is an important overlap in techniques and 
tools used for privacy, security, and anonymity but they differ at some point: 
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PRIVACY ANONYMITY 





(Illustration from?) 


Will this guide help you protect yourself from the NSA, the FSB, Mark Zuckerberg, or the Mossad if they are out to find you? Probably not ... 


» 10 


Mossad will be doing “Mossad things” °~ and will probably find you no matter how hard you try to hide". 
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[A CRYPTO NERD's WHAT WOULD [ 
IMAGINATION? F 7 FACTUALLY HAPPEN: F . 
HIS LAPTOP'S ENCRYPTED. HIS LAPTOP'S ENCRYPTED. 
LETS BUILD A MILLION-DOLLAR, DRUG HIM AND HIT HIM WITH 
CLUSTER To CRACK \T- THIS $5 WRENCH UNTIL 
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EVIL PLAN 
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(Illustration by Randall Munroe, xkcd.com, licensed under CC BY-NC 2.5) 


Will this guide help you protect your privacy from OSINT researchers like y-\| fave ter=) ance Doxing!* ge) Mela Kolat-lalaerir-lae Mo) ial-lismtar-l@ ate Wale) 
access to the NSA toolbox? More likely. Tho | would not be so sure about 4chan. 


Here is a basic simplified threat model for this guide: 





e Unskilled e Skilled e Skilled e Highly Skilled 
e Motivated e Unmotivated e Motivated e Highly Motivated 

e Limited global e Unlimited global 
Advertisers are They could look into resources resources 
tracking you Colt molUi melt Mc -Mile) 
passively. HR people | doing anything of Trolls, OSINT The NSA/FSB/MSS/ 
are just Googling you | interest and you Researchers, Mossad is looking for 


for a background don’t matter. Corporations, Local | you. 
check. Law Enforcement... 





Add 2FA to All of the previous |e This guide is your |e Try magical 
passwords. and: friend. amulets or 

Use Adblocking Use Tor Browser. invisibility cloaks. 
ETatoMilxey-taline) Use VPNs. e Liveina 

modes. Consider using a submarine. 

Set your accounts dedicated phone e Fake your own 
Private. number for death. 

Use pseudonyms accounts. They will find you 
ETatemele-licel liye over time. 





(Note that the “magical amulets/submarine/fake your own death” jokes are quoted from the excellent article “This World of Ours” by James 
Mickens, 2014above'") 


Disclaimer: Jokes aside (magical amulet...). Of course, there are also advanced ways to mitigate attacks against such advanced and skilled 
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exceedingly high knowledge and skill level that is not expected from the targeted audience of this guide. 


The EFF provides a few security scenarios of what you should consider depending on your activity. While some of those tips might not be 
within the scope of this guide (more about Privacy than Anonymity), they are still worth reading as examples. See 


https://ssd.eff.org/en/module-categories/security-scenarios [Archive.org] 


If you want to go deeper into threat modeling, see Appendix B3: Threat modeling resources. 
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bolU Menlo lalmialial qntalicwmelei(ol-mar-lomalem(-re]iilagr-itcmUrsy-mel0l Mmlal-leomr-le-Manl-lany such as: 


=> Evading Online Censorship? 

>> Evading Online Oppression 

=> Evading Online Stalking, Doxxing, and Harassment 

>> Evading Online Unlawful Government Surveillance 

>> Anonymous Online Whistle Blowing 

==> Anonymous Online Activism 

>> Anonymous Online Journalism 

>> Anonymous Online Legal Practice 

>> Anonymous Online Academic Activities (For instance accessing scientific research where such resources are blocked). See note below. 


a ... 
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(IANAL@“). “Trust but verify”2° all the information yourself (or even better, “Never Trust, always verify”~°). ES ie) ale] War-valexelele-le(-m\ cele) 
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Understanding some basics of how some information can lead 
back to you and how to mitigate some: 





There are many ways you can be tracked besides browser cookies and ads, your e-mail, and your phone number. And if you think only the 
Mossad or the NSA/FSB can find you, you would be wrong. 


First, you could also consider these more general resources on privacy and security to learn more basics: 
>> The New Oil’: https://thenewoil.org/ Archive.org] 
>> Techlore videos": https://www.youtube.com/c/Techlore [!nvidious] 
>> Privacy Guides: https://privacyguides.org/ Archive.org] 
>> Privacy Tools*: https://privacytools.io Aten've.org] 


==> Note that these websites could contain affiliate/soonsored content and/or merchandising. This guide does not endorse and is not 
sponsored by any commercial entity in any way. 


If you skipped those, you should really still consider viewing this YouTube playlist from the Techlore Go Incognito project 
(https://github.com/techlore-official/go-incognito [A"e've-org]) as an introduction before going further: https://www.youtube.com/playlist? 


list=PL3KeV6Ui_4CayDGHw640FXEPHgXLkrtJO [vidious] This guide will cover many of the topics in the videos of this playlist with more 
details and references as well as some added topics not covered within that series. This will just take you 2 or 3 hours to watch it all. 
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Your Network: 
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Your IP address’ is the most known and obvious way you can be tracked. That IP is the IP you are using at the source. This is where you 
connect to the internet. That IP is usually provided by your ISP (Internet Service Provider) (xDSL, Mobile, Cable, Fiber, Cafe, Bar, Friend, 


IN(eVe]a) ole) @ am \V/(oksimexelelaiea(=tom ar- Nome lolt-Maoit-)aii(o)e regulations?® that mandate keeping logs of who is using what IP at a certain time/date for up to 
several years or indefinitely. Your ISP can tell a third party that you were using a specific IP at a specific date and time, years after the fact. If 

that IP (the original one) leaks at any point for any reason, it can be used to track down you directly. In many countries, you will not be able to 
have internet access without providing some form of identification to the provider (address, ID, real name, e-mail ...). 


Needless to say, that most platforms (such as social networks) will also keep (sometimes indefinitely) the IP addresses you used to sign-up 
and sign into their services. 
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>> Find your IP: 
>> https://resolve.rs/ 
>> https://www.dnsleaktest.com/ (Bonus, check your IP for DNS leaks) 
=> Find your IP location or the location of any IP: 
>> https://resolve.rs/ip/geolocation.htm| 
>> Find if an IP is “suspicious” (in blocklists) or has downloaded “things” on some public resources: 
>> https://mxtoolbox.com/blacklists.aspx 
>> https://www.virustotal.com/gui/nome/search 


pm OSHA ale) VAN ar=1AVele ele) al (er=(omere) sam @E-l<-m alm iiale=mele-l|amelmcy-||emimanlie/almacelm-jacewar-labvavalialemialicic=t-1lalemlalemar-lmllaalitcre melalr= 
sources. This is more for fun than anything serious. ) 


>> Registration information of an IP (most likely your ISP or the ISP of your connection who most likely know who is using that IP at any 
time): 


>> https://whois.domaintools.com/ 
>> Check for open-services or open devices on an IP (especially if there are leaky Smart Devices on it): 


>> https:/Awww.shodan.io/host/185.220.101.134 (replace the IP by your IP or any other, or change in the search box, this example IP 
a Wn Ko) =>-41 aero =) 


== Various tools to check your IP such as block-lists checkers and more: 
>> https://orowserleaks.com/ip 
>> https:/Awww.whatismyip.com 

==> Would you like to know if you are connected through Tor? 


>> https://check.torproject.org 
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a combination of various means: 


>> Using a public Wi-Fi service (free). 
>> Using the Tor Anonymity Network? (free). 


>> Using VPN°2 services FeVao)anvinavelersyhvam €lale)anysanrelers)nvas r= 1(@ Mm 71a mer-ls)a me) am \V(e)al>140)F 


Do note that, unfortunately, these solutions are not perfect, and you will experience performance issues?'. 


All those will be explained later in this guide. 
Your DNS and IP requests: 


932 


DNS stands for “Domain Name System’’* and is a service used by your browser (and other apps) to find the IP addresses of a service. It is a 


huge “contact list” (phone book for older people) that works like asking it a name and it returns the number to call. Except it returns an IP 
instead. 


Every time your browser wants to access a certain service such as Google through www.google.com. Your Browser (Chrome or Firefox) will 
query a DNS service to find the IP addresses of the Google web servers. 


Here is a video explaining DNS visually if you are already lost: https:/Awww.youtube.com/watch?v=vrxwXXytEul [event 


Usually, the DNS service is provided by your ISP and automatically configured by the network you are connecting to. This DNS service could 
also be subject to data retention regulations or will just keep logs for other reasons (data collection for advertising purposes for instance). 
Therefore, this ISP will be capable of telling everything you did online just by looking at those logs which can, in turn, be provided to an 


adversary. Conveniently this is also the easiest way for many adversaries to apply censoring or parental control by using DNS blocking? 
The provided DNS servers will give you a different address (than their real one) for some websites (like redirecting thepiratebay.org to some 


government website). Such blocking is widely applied worldwide for certain sites**. 


Using a private DNS service or your own DNS service would mitigate these issues, but the other problem is that most of those DNS requests 
are by default still sent in clear text (unencrypted) over the network. Even if you browse PornHub in an incognito Window, using HTTPS and 
using a private DNS service, chances are exceedingly high that your browser will send a clear text unencrypted DNS request to some DNS 
servers asking basically “So what’s the IP address of www.pornhub.com?”. 


Because it is not encrypted, your ISP and/or any other adversary could still intercept (using a Man-in-the-middle attack°>) your request will 
know and possibly log what your IP was looking for. The same ISP can also tamper with the DNS responses even if you are using a private 
DNS. Rendering the use of a private DNS service useless. 


As a bonus, many devices and apps will use hardcoded DNS servers bypassing any system setting you could set. This is for example the 


case with most (70%) Smart TVs and a large part (46%) of Game Consoles*©. For these devices, VZol0 MY ZI | male \Vcom om ce) Kex>) them?’ to stop using 
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A solution to this is to use encrypted DNS using DoH (DNS over HTTPS?°), DoT (DNS over TLS?) with a private DNS server (this can be 


self-hosted locally with a solution like pi-hole*?, remotely hosted with a solution like nextdns.io or using the solutions provider by your VPN 
provider or the Tor network). This should prevent your ISP or some go-between from snooping on your requests ... except it might not. 
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several times in this section for technical understanding. 


Unfortunately, the TLS protocol used in most HTTPS connections in most Browsers (Chrome/Brave among them) will leak the Domain Name 
again through SNI*? handshakes (this can be checked here at Cloudflare: https://www.cloudflare.com/ssl/encrypted-sni/ Archive.org] ) As of 


talc aL iiale meymtall-melelce(-Mme) al \Val al a-1ie).@ ef-l-J:Le Mo) co)! (1-1 ¢--J0] 0) ole) a tu Oa (tater ats oli-Yo meal (-1a1! Hello“ previously known as eSNI*°) on 
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Cole Com al(ol-m Coll m BP) bo ma-te(U(-\-]< Miceli Maaliae party**. And this option is not enabled by default either so you will have to enable it yourself. 
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HTTPS with Encrypted DNS without ECH 
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HTTPS with Encrypted DNS and ECH 
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In addition to limited browser support, only Web Services and CDNs*” behind Cloudflare CDN support ECH/eSNI at this stage*°. This means 
that ECH and eSNI are not supported (as of the writing of this guide) by most mainstream platforms such as: 


>> Amazon (including AWS, Twitch...) 

>> Microsoft (including Azure, OneDrive, Outlook, Office 365...) 
>> Google (including Gmail, Google Cloud...) 

>> Apple (including iCloud, iMessage...) 

>> Reddit 

==> YouTube 

bP i wr=( 01-1010 ]0).4 

>> Instagram 

>> Twitter 

>> GitHub 


a... 


Some countries like Russia*’ and China*®’ might (unverified despite the articles) block ECH/eSNI handshakes at the network level to allow 
Jalole)e)i are m=] are )x=\V,=) am ObVZ Ox=tssod] ale mex=ya sxe) a=) a1| OMm\Y/(ot-]a}laleMelU || Malelm ol-M-10)(-mCOM=s-)r-16)|[-Ja-]0M mM ll Meco mere)alal-veil(o)amuiilamr-Mc>) aU (exo MI mZ016 elem ale)! 
allow them to see what it was. 


The issues do not end here. Part of the HTTPS TLS validation is called OCSP*” and this protocol used by Firefox-based browsers will leak 
metadata in the form of the serial number of the certificate of the website you are visiting. An adversary can then easily find which website 
you are visiting by matching the certificate number’~. This issue can be mitigated by using OCSP stapling’ ’. Unfortunately, this is enabled 
but not enforced by default in Firefox/Tor Browser. But the website you are visiting must also be supporting it and not all do. Chromium-based 


browsers on the other hand use a different system called CRLSets which is arguably better. 


Here is a list of how various browsers behave with OCSP: 
} 


Here is an illustration of the issue you could encounter on Firefox-based browsers: 





Simple OCSP OCSP Stapling 


] 
| 


somewebsite.com somewebsite.com 


OCSP Responder OCSP Responder 
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as traffic analysis studies°* have shown it is stil leXes=s<J] 0) (= MoM K=)it=1e) hail are (=1ae)alalmr=larem 0) (ele). a0) ali\r-lalc-\om-ve[6(-1-] tm @) a) NB) \ ho @)Y.-1 mmm LO) MAY/- Ioer-10)(- (0) 
show efficient DNS Privacy in recent studies but even that can still be defeated by other means (see Your Anonymized Tor/VPN traffic). 


One could also decide to use a Tor Hidden DNS Service or ODoH (Oblivious DNS over HTTPS*?) to further increase privacy/anonymity but 
unfortunately, as far as | know, these methods are only provided by Cloudflare as of this writing (https://blog.cloudflare.com/welcome- 


hidden-resolver/ !Archive.org] | https://blog.cloudflare.com/oblivious-dns/ !A’chve.org]) These are workable and reasonably secure technical 
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Lastly, there is also this new possibility called DoHoT which stands for DNS over HTTPS over Tor which could also further increase your 


privacy/anonymity and which you could consider if you are more skilled with Linux. See https://github.com/alecmuffett/dohot !A"n've-0'g] This 
(o[U]ke(=Mw/1| male) mal=)|OMVZO10 MV iia msaltsme)al-m-]mcalicm-)r-(e(-mm olUimimanl(e]aimel>meve)anliale m-yele)ap 


Here is an illustration showing the current state of DNS and HTTPS privacy based on my current knowledge. 
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As for your normal daily use (non-sensitive), remember that only Firefox-based browsers support ECH (formerly eSNI) so far and that it is 
only useful with websites hosted behind Cloudflare CDN at this stage. If you prefer a Chrome-based version (which is understandable for 
some due to some better-integrated features like on-the-fly Translation), then | would recommend the use of Brave instead which supports all 
Chrome extensions and offers much better privacy than Chrome. 


But the story does not stop there right. Now because after all this, even if you encrypt your DNS and use all possible mitigations. Simple IP 
requests to any server will probably allow an adversary to still detect which site you are visiting. And this is simply because the majority of 
websites have unique IPs tied to them as explained here: v \ 

|_ This means that an adversary can create a dataset of known websites for instance including their IPs and then match this dataset 
against the IP you ask for. In most cases, this will result in a correct guess of the website you are visiting. This means that despite OCSP 
stapling, despite ECH/eSNI, despite using Encrypted DNS ... An adversary can still guess the website you are visiting anyway. 





Therefore, to mitigate all these issues (as much as possible and as best as we can), this guide will later recommend two solutions: Using Tor 
and a virtualized (See Appendix W: Virtualization) multi-layered solution of VPN over Tor solution (DNS over VPN over Tor or DNS over 
TOR). Other options will also be explained (Tor over VPN, VPN only, No Tor/VPN) but are less recommended. 


Your RFID enabled devices: 


RFID stands for Radio-frequency identification®’, it is the 1c>Ye1a] ale) (eleva Urs{=10 Im ce) mal alsyr-|alexo Wie) mere)ale-(e1i(-1tom f= NZ paiclalecwr-1a(eM\c-1a(@l0lomlelsyalijilerslileya 


systems. Of course, your smartphone is among those devices and has RFID contactless payment capabilities through NFC°®. As with 
everything else, such capabilities can be used for tracking by various actors. 
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time such as: 


>> Your contactless-enabled credit/debit cards 
>> Your store loyalty cards 

>> Your transportation payment cards 

>> Your work-related access cards 

==> Your car keys 

>> Your national ID or driver license 

>> Your passport 

>> The price/anti-theft tags on object/clothing 


er 


While all these cannot be used to de-anonymize you from a remote online adversary, they can be used to narrow down a search if your 
approximate location at a certain time is known. For instance, you cannot rule out that some stores will effectively scan (and log) all RFID 
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More information over at Wikipedia: https://en.wikipedia.org/wiki/Radio-frequency_identification#Security_concerns !ikiless] [Archive.org] anq 
https://en.wikipedia.org/wiki/Radio-frequency_identification#Privacy [ikiless] [Archive.org] 


The only way to mitigate this problem is to have no RFID tags on you or to shield them again using a type of Faraday cage. You could also 
use specialized wallets/pouches that specifically block RFID communications. Many of those are now made by well-known brands such as 


Samsonite°?. You should just not carry such RFID devices while conducting sensitive activities. 
See Appendix N: Warning about smartphones and smart devices 


The Wi-Fi and Bluetooth devices around you: 
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Operating systems makers like Google (Natelrolie hau) Fe Talo Mave) el (= (Kexssau) maintain a convenient database of most Wi-Fi access points, 
Bluetooth devices, and their location. When your Android smartphone or iPhone is on (and not in Plane mode), it will scan actively (unless 
you specifically disable this feature in the settings) Wi-Fi access points, and Bluetooth devices around you and will be able to geolocate you 
with more precision than when using a GPS. 


This active and continuous probing can then be sent back to Google/Apple/Microsoft as part of their Telemetry. The issue is that this probing 
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customers including when they return, where they go in the shop and how long they stay at a particular place. There are several papers®2’63 


and articles®* ol =S-Yoigle)| ale lalicmicss1e (om ame(=) 01008 


This allows them to provide accurate locations even when GPS is off, but it also allows them to keep a convenient record of all Wi-Fi 
Bluetooth devices all over the world. Which can then be accessed by them or third parties for tracking. 


Note: If you have an Android smartphone, Google probably knows where it is no matter what you do. You cannot really trust the settings. The 
whole operating system is built by a company that wants your data. Remember that if it is free then you are the product. 


But that is not what all those Wi-Fi access points can do. Recently developed techs could even allow someone to track your movements 
accurately just based on radio interferences. What this means is that it is possible to track your movement inside a room/building based on 


dale r=\ol(omi(e]ar=| kom ey-tssosl ale Mm alnelele] aman Mal(cmanlie]almcy-\-10aMll Comrie] ayce)|m ar-)mrexe)al-ye)| r-(envmsal-lo)avmert-\[pnmelulmalclacm-le-mal~ references®? with 
demonstrations showing this tech in action: http://rfpose.csail.mit.edu/ A"°"'ve-org] and the video here: https://www.youtube.com/watch? 
v=HgDdaMy8KNE linvidious} 


Other researchers have found a way to count the people in a defined space using only Wi-Fi, see 
https://www.news.ucsb.edu/2021/020392/dont-fidget-wifi-will-count-you [Archive.org] 


You could therefore imagine many use cases for such technologies like recording who enters specific buildings/offices (hotels, hospitals, or 
embassies for instance) and then discover who meets who and thereby tracking them from outside. Even if they have no smartphone on 
them. 








Again, such an issue could only be mitigated by being in a room/building that would act as a Faraday cage. 


Here is another video of the same kind of tech in action: https://www.youtube.com/watch?v=FDZ39h-kCS8 [!nvidious] 
See Appendix N: Warning about smartphones and smart devices 
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Malicious/Rogue Wi-Fi Access Points: 


»66 


These have been used at least since 2008 using an attack called “Jasager’’’ and can be done by anyone using self-built tools or using 


commercially available devices such as Wi-Fi Pineapple®’. 

Here are some videos explaining more about the topic: 
>> HOPE 2020, https://archive.org/details/nopeconf2020/20200725 1800 Advanced Wi-Fi_Hacking_With_%245 Microcontrollers.mp4 
>> YouTube, Hak5, Wi-Fi Pineapple Mark VII https://www.youtube.com/watch?v=7v3JR4WIw4qQ lInvidious] 


These devices can fit in a small bag and can take over the Wi-Fi environment of any place within their range. For instance, a 
Bar/Restaurant/Café/Hotel Lobby. These devices can force Wi-Fi clients to disconnect from their current Wi-Fi (using de-authentication, 


(of fsyolsiyelerr=lice)al attacks®©®) while spoofing the normal Wi-Fi networks at the same location. They will continue to perform this attack until your 
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These devices can then mimic a captive portal®? with the exact same layout as the Wi-Fi you are trying to access (for instance an Airport Wi- 
Fi registration portal). Or they could just give you unrestricted access internet that they will themselves get from the same place. 


Once you are connected through the Rogue AP, this AP will be able to execute various man-in-the-middle attacks to perform analysis on your 
1tg-)1i (nm Mal=ts{=mexel0] (0M ol-M par-li(e](el0lsmuslol|x-Le1le)alome)m-yign]e)(omie-liilemaliulale pam Malsssi>mer-lamialslamt-ts)i\Valle (lal iiavarlahvaeri(s/almcato1 miele] (em (elem lalsir-laler- munya) 
connect to a VPN server or the Tor Network. 


This can be useful when you know someone you want to de-anonymize is in a crowded place, but you do not know who. This would allow 
such an adversary to possibly fingerprint any website you visit despite the use of HTTPS, DoT, DoH, ODOH, VPN, or Tor using traffic analysis 
as pointed above in the DNS section. 


These can also be used to carefully craft and serve you advanced phishing webpages that would harvest your credentials or try to make you 
install a malicious certificate allowing them to see your encrypted traffic. 


How to mitigate those? If you do connect to a public wi-fi access point, use Tor, or use a VPN and then Tor (Tor over VPN) or even (VPN over 
Wo) ah ome)o)jUtsyer-1(-mvZol0) mce-11i(em ixe)pamial>muele[U(-W Alem’ Zall(seoill|MUlyiale mie 


Your Anonymized Tor/VPN traffic: 


Tor and VPNs are not silver bullets. Many advanced techniques have been developed and studied to de-anonymize encrypted Tor traffic over 


tals) years/2. Most of those techniques are Correlation attacks that will correlate your network traffic in one way or another to logs or datasets. 
Here are some examples: 
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websites you visited) based on the analysis of your encrypted traffic without decrypting it. Some of those methods can do so with a 96% 
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be used by a local adversary in the near future. Such techniques could however hypothetically be used by an advanced and 
probably global adversary with access to your source network to determine some of your activity. Examples of those attacks are 
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described in several research papers as well as their limitations’*. The Tor Project itself published an article about these attacks 


with some mitigations: https://blog.torproject.org/new-low-cost-traffic-analysis-attacks-mitigations A"chive.org], 
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>> Correlation Timing Attacks: As illustrated (simplified) below, an adversary that has access to network connection logs (IP or DNS for 
instance, remember that most VPN servers and most Tor nodes are known and publicly listed) at the source and the destination could 
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technique was done by the FBI in 2013 to de-anonymize’° a bomb threat hoax at Harvard University. 
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>> Correlation Counting Attacks: As illustrated (simplified) below, an adversary that has no access to detailed connection logs (cannot 
see that you used Tor or Netflix) but has access to data counting logs could see that you have downloaded 600MB on a specific 
time/date that matches the 6O00MB upload at the destination. This correlation can then be used to de-anonymize you over time. 
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There are ways to mitigate these such as: 


>> Do not use Tor/VPNs to access services that are on the same network (ISP) as the destination service. For example, do not connect to 
Tor from your University Network to access a University Service anonymously. Instead, use a different source point (such as a public 
Wi-Fi) that cannot be correlated easily by an adversary. 


>> Do not use Tor/VPN from an obviously heavily monitored network (such as a corporate/governmental network) but instead try to find an 
Ula aate)ayive)asvom al=10'e) a qr-10 (e/a lr-\owr-lmelU|e)| (Om AV Cy aa ©) mre ma =s-y(0(>) a) 0r- | Ac a B 


>> Consider the use of multiple layers (Such as what will be recommended in this guide later: VPN over Tor) so that an adversary might be 
able to see that someone connected to the service through Tor but will not be able to see that it was you because you were connected 
to a VPN and not the Tor Network. 


Be aware again that this might not be enough against a motivated global adversary’” with wide access to global mass surveillance. Such an 
adversary might have access to logs no matter where you are and could use those to de-anonymize you. Usually, these attacks are part of 
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Be also aware that all the other methods described in this guide such as Behavioral analysis can also be used to deanonymize Tor users 
indirectly (see further ). 
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as well as this recent research publication 


As well as this great series of blog posts: 


Recently, one of these attacks was attempted on the Tor Network with more information here: 


Lastly, do remember that using Tor can already be considered suspicious activity’’, and its use could be considered malicious by some 
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Remember that such attacks are usually carried by highly skilled, highly resourceful, and motivated adversaries and are out of scope from 
lalismele|(ol=e 


DJ E-XoiF-Vinal=) emi my acelel(omr-|(-Yom ol-malelcclemdar-| mm ke) mi t-Male)me(:t-J(elal-(om com e)weli-\eim-ler-llal-jm@-Mme|(e)er-1m-(ehd-le-y- lava mre) matlela- Mm lance) atir-licelamct-1 


rT ale MJ ol-Yed)i(er-1| \ Aaa e-em BY -¥-J (0 [0 Me (ey-1i-wr-lale, 
assumptions.”. 


Some Devices can be tracked even when offline: 


You have seen this in action/spy/Sci-Fi movies and shows, the protagonists always remove the battery of their phones to make sure it cannot 
be used. Most people would think that’s overkill. Well, unfortunately, no, this is now becoming true at least for some devices: 


>> iPhones and iPads (IOS 13 and above)°~’ 





>> Samsung Phones (Android 10 and above)® 


>> MacBooks (macOS 10.15 and above)®? 


Such devices will continue to broadcast identity information to nearby devices even when offline using Bluetooth Low-Energy®*. ai at-\vare (om ate)! 
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They could now find such devices and keep the location in some database that could then be used by third parties or themselves for various 
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See Appendix N: Warning about smartphones and smart devices 


TLDR: Do not take such devices with you when conducting sensitive activities. 
Your Hardware Identifiers: 
Your IMEI and IMSI (Cand by extension, your phone number): 


The IMEI (International Mobile Equipment Identity®°) and the IMSI (International Mobile Subscriber Identity®”) are unique numbers created by 
(ox=)| me) alolal=maat=lalelr= (eve |a>)aom-l ale mex-)/ e)ale)al- me) e\=16-100) «p 


The IMEI is tied directly to the phone you are using. This number is known and tracked by the cell phone operators and known by the 
manufacturers. Every time your phone connects to the mobile network, it will register the IMEI on the network along with the IMSI (if a SIM 
card is inserted but that is not even needed). It is also used by many applications (Banking apps abusing the phone permission on Android 
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phone for a few Euros (this guide is for Germany remember) at a flea market or some random small shop. 


The IMSI is tied directly to the mobile subscription or pre-paid plan you are using and is tied to your phone number by your mobile provider. 
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network, it will also register the IMSI on the network along with the IMEI. Like the IMEI, the IMSI is also being used by some applications and 
smartphone Operating systems for identification and is being tracked. Some countries in the EU for instance maintain a database of 
IMEI/IMSI associations for easy querying by Law Enforcement. 


Today, giving away your (real) phone number is the same or better than giving away your Social Security number/Passport ID/National ID. 
The IMEI and IMSI can be traced back to you in at least six ways: 


==> The mobile operator subscriber logs will usually store the IMEI along with the IMSI and their subscriber information database. If you use 
a prepaid anonymous SIM (anonymous IMSI but with a known IMEI), they could see this cell belongs to you if you used that cell phone 
before with a different SIM card (different anonymous IMSI but same known IME]). 


>> The mobile operator antenna logs will conveniently keep a log of which IMEI and IMSI also keep some connection data. They know and 
KoXeMco)mlatsir=lalersmsat-lar- i e)ale)al-muZiamealicmilY/|=4 0A l\V tod mexe)agle)iar=1s(e)a eve) alal-rei(-re mm (om; cyl me)mm\V/(0)6)|(om=laic>lalar- low lalemale\'ivm ele) (=)a iO) malo mcy(elar- lice) 
each of those antennas were allowing easy triangulation/geolocation of the signal. They also know which other phones (your real one 
for instance) connected at the same time to the same antennas with the same signal which would make it possible to know precisely 
that this “burner phone” was always connected at the same place/time than this other “known phone’ which shows up every time the 
lo) U0) a aise ©)ale)alom ism el-)/aleMUls{-10 mam Malicmlance)gaat-li(e)amer-|amel-MUlc{-10 ml ohVanc-la(0l0\-muali nom ey-lall\-mcome(-re)eler-1K-Yile-le1, anole meL6/I(= precisely?!’92. 

>> The manufacturer of the Phone can trace back the sale of the phone using the IMEI if that phone was bought in a non-anonymous way. 
Indeed, they will have logs of each phone sale (including serial number and IMEI), to which shop/person to whom it was sold. And if you 
are using a phone that you bought online (or from someone that knows you). It can be traced to you using that information. Even if they 
‘ofom atolmilaremyceleme)al CCTV?? and V{ol0 mu ofo)0 le] al mial-me)ale)al>melcyi ale Mer- la mm ial=\/mer-lam-)0l1 ilaleMmu/ar-lmelial=)em e)are)al>mQvZel0]mmust-| me) al- Ml alm(el6] mm eleler.¢-19) 
was there (in that shop) at that time/date by using the antenna logs. 


>> The IMSI alone can be used to find you as well because most countries now require customers to provide an ID when buying a SIM 
card (subscription or pre-paid). The IMSI is then tied to the identity of the buyer of the card. In the countries where the SIM can still be 
bought with cash (like the UK), they still Know where (which shop) it was bought and when. This information can then be used to 
Ig=\igt=\ om layie)aagt=)i(e)a mice) anmsal> Mm) ale) emi ts\>))im (10 (610 ir- lois @1 Om Van ole)r-(e(-m-lmie) mnt al- IV) | =4 er- Ici) Mn @) mr-(el-l/alialomr-lal(-yalar-m(ele|smer-lalr-ls(em e\-MUIs{-10 me 
figure out which other phone was there at the moment of the sale. 


>> The smartphone OS makers (Google/Apple for Android/IOs) also keep logs of IMEI/IMSI identifications tied to Google/Apple accounts 


and which user has been using them. They too can trace back the history of the phone and to which accounts it was tied in the past”. 


mmm 1e)V.-) ual an(=valmrolel-)alel(s1sm-|cel0/alemsal-mue)a(omali=)asx-)(-1e Mm |alaycelel am e)ale)al-malelgalel=)mer-lam-lalemele) use? special devices called “IMSI catchers” like 
the Stingray?’ or more recently the Nyxcell?®. These devices can impersonate (to spoof) a cell phone Antenna and force a specific IMSI 
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Attacks) that will allow them to: 


>> Tap your phone (voice calls and SMS). 
>> Sniff and examine your data traffic. 
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Here is also a good YouTube video on this topic: DEFCON Safe Mode - Cooper Quintin - Detecting Fake 4G Base Stations in Real-Time 
https://www.youtube.com/watch?v=siCk4pGGcgA Lnvidious] 
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While there are some smartphones manufacturers like Purism with their Librem series’? who claim to have your privacy in mind, they still do 
not allow IMEI randomization which | believe is a key anti-tracking feature that should be provided by such manufacturers. While this 
measure will not prevent IMSI tracking within the SIM card, it would at least allow you to keep the same “burner phone” and only switch SIM 
cards instead of having to switch both for privacy. 


See Appendix N: Warning about smartphones and smart devices 


Your Wi-Fi or Ethernet MAC address: 


The MAC address'“° is a unique identifier tied to your physical Network Interface (Wired Ethernet or Wi-Fi) and could of course be used to 
track you if it is not randomized. As it was the case with the IMEI, manufacturers of computers and network cards usually keep logs of their 
sales (usually including things like serial number, IMEI, Mac Addresses, ...) and it is possible again for them to track where and when the 
computer with the MAC address in question was sold and to whom. Even if you bought it with cash in a supermarket, the supermarket might 
1] | ate \V{- On Om AVA (0) r= 1 Om Vag [Ul-)aro]U)e-)(0(-Mcal-lm-1ale)e) m-lalom-ler-liamealomilan(=y,e(-1(>me)msy-](-MerolU] (0M el-MUlsy-(om Com i alemelel MN arom \-tmlaloleomUls)ialemlaom \V(e)e)i(= 
Provider antenna logs at that time (IMEI/IMSIl). 


Operating Systems makers (Google/Microsoft/Apple) will also keep logs of devices and their MAC addresses in their logs for device 
identification (Find my device type services for example). Apple can tell that the MacBook with this specific MAC address was tied to a 
specific Apple Account before. Maybe yours before you decided to use the MacBook for sensitive activities. Maybe to a different user who 
sold it to you but remembers your e-mail/number from when the sale happened. 


Your home router/Wi-Fi access point keeps logs of devices that are registered on the Wi-Fi, and these can be accessed too to find out who 
has been using your Wi-Fi. Sometimes this can be done remotely (and silently) by the ISP depending on if that router/Wi-Fi access point is 
being “managed” remotely by the ISP (which is often the case when they provide the router to their customers). 


Some commercial devices will keep a record of MAC addresses roaming around for various purposes such as road congestion!?". 
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and Windows 10) with the notable exception of macOS which does not support this feature even in its latest Big Sur version. 


See Appendix N: Warning about smartphones and smart devices 


Your Bluetooth MAC address: 


Your Bluetooth MAC is like the earlier MAC address except it is for Bluetooth. Again, it can be used to track you as manufacturers and 
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Operating systems have protections in place to randomize those addresses but are still subject to vulnerabilities !92. 


For this reason, and unless you really need those, you should just disable Bluetooth completely in the BIOS/UEFI settings if possible or in the 
Operating System otherwise. 


Ja AAYilatelo)w Aswan Mntcol0MYi'71|malsx>ie mm (ome <t-]0)(-mr-laleM=Jal-16)(-Mla(-Ms)l0[-1cele)iame(-\U(er> ml amualome(-\V/(e(-m par-lal-(e(-)em ltc1-1] mom ce)Ker-Mr-lalele)anl74-1i(6)amelmial-w-l0 le] t=tct 
for next use and prevent tracking. 


In general, this should not be too much of a concern compared to MAC Addresses. BT Addresses are randomized quite often. 


See Appendix N: Warning about smartphones and smart devices 


Your CPU: 


All modern CPUs!°° are now Taj c=Xele=lijalem alcece(=\amant-larc\el=yaal=/alm e)t-)iie)aaatsm-lelera Wr-lomial-maceWmlair-lancelercm (alt= ym \Ut-larele(=)aar>yal! Engine! relalemiare 
AMD Platform Security Processor!9°. 

Those management platforms are small operating systems running directly on your CPU as long as they have power. These systems have 
full access to your computer’s network and could be accessed by an adversary to de-anonymize you in various ways (using direct access or 
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in Intel Management Engine https://www.youtube.com/watch?v=9fhNokigBMU !!nvidious] 


These have already been affected by several security vulnerabilities in the past!°° that allowed malware to (oF=Tiaere) bine) me) imr=1n@(-1M-)VA<)(>) 0 gop 


These are also accused by many privacy actors including the EFF and Libreboot of being a backdoor into any system 07, 





There are some not so straightforward ways 198 to disable the Intel IME on some CPUs and you should do so if you can. For some AMD 
laptops, you can disable it within the BIOS settings by disabling PSP. 


Note that to AMD’s defense, so far and AFAIK, there were no security vulnerabilities found for ASP and no backdoors either: See 


https://www.youtube.com/watch?v=bKH5nGLgi08&t=2834s [!nv'dious]_ |, addition, AMD PSP does not provide any remote management 
capabilities contrary to Intel IME. 


If you are feeling a bit more adventurous, you could install your own BIOS using Libreboot or Coreboot 109 if Vol 0] am =] eco) oe-10) 0) ole) atom mcel-) 
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In addition, some CPUs have unfixable flaws (especially Intel CPUs) that could be exploited by various malware. Here is a good current list of 


such vulnerabilities affecting recent widespread CPUs: https://en.wikipedia.org/wiki/Transient_execution _CPU_vulnerability [Wikiless] 


[Archive.org] 


Check yourself: 


>> If you are using Linux you can check the vulnerability status of your CPU to Spectre/Meltdown attacks by using 


https://github.com/speed47/spectre-meltdown-checker A’chive.org] which is available as a package for most Linux distros including 
WiVatelalne 


>> If you are using Windows, you can check the vulnerability status of your CPU using inSpectre https:/Awww.grc.com/inspectre.htm 
TaUKealiemelce) 


Some of these can be avoided using Virtualization Software settings that can mitigate such exploits. See this guide for more information 


https://www.whonix.org/wiki/Spectre_Meltdown !4'chive.org] (warning: these can severely impact the performance of your VMs). 


| will therefore mitigate some of these issues in this guide by recommending the use of virtual machines on a dedicated anonymous laptop for 
your sensitive activities that will only be used from an anonymous public network. 


In addition, | will recommend the use of AMD CPUs vs Intel CPUs. 
Your Operating Systems and Apps telemetry services: 


Whether it is Android, iOS, Windows, macOS, or even Ubuntu. Most popular Operating Systems now collect telemetry information by default 


even if you never opt-in or opted-out!!° from the start. Some like Windows will not even allow disabling telemetry completely without some 
i>Xeqa] alier=] MANY st= |e alsa ace) aa at=1e(@)amexe)|(>Ye1s(@)amer- lal el-m->.4t-/al-)\\-mr- | elem alel0(e(-m-Mcir-(e(el-yalalemalelanle\-)me)me(ir-\l om (pal-ir-ler-ir-M-lalemer-ir-)me)nmyele| 
devices and their usage. 


Here are good overviews of what is being collected by those five popular OSes in their last versions: 
>> Android/Google: 
>> Just have a read at their privacy policy https://policies.google.com/privacy [Archive.org] 


>> School of Computer Science & Statistics, Trinity College Dublin, Ireland Mobile Handset Privacy: Measuring The Data iOS and 
Android Send to Apple And Google https://www.scss.tcd.ie/doug.leith/apple_google.pdf Archive.org] 


=P |Ols)/A\0)0)(-5 


>> More information at https://www.apple.com/legal/privacy/en-ww/ lArchive.org] and https://support.apple.com/en-us/HT202100 
[Archive.org] 


>> School of Computer Science & Statistics, Trinity College Dublin, Ireland Mobile Handset Privacy: Measuring The Data iOS and 
Android Send to Apple And Google https://www.scss.tcd.ie/doug.leith/apple_google.pdf Archive.org] 


>> Apple does claim'"! that idal=\var=lale)anyianl74=mialiomel-lt-Mmels)/alemellicslacyalirel privacy !'2 but you will have to trust them on that. 
>> Windows/Microsoft: 


>> Full list of required diagnostic data: https://docs.microsoft.com/en-us/windows/privacy/required-windows-diagnostic-data-events- 
and-fields-2004 lArchive.org] 


>> Full list of optional diagnostic data: https://docs.microsoft.com/en-us/windows/privacy/windows-diagnostic-data [Archive.org] 
>> macOS: 

pam Volt = Me (-1t-l | MelaM aii torsH/ici0]o) oXelaat-l ele) Mero aalfeltliol-Viaar-Vemal-\l ey/siarelictrclar-lNatiecsmlalcenanateit(elamaat-Vonr-]0)0)(-mianlaV4Acso10)/a0l-\om dmmcbacaneats) 
>> Ubuntu: 


==> Ubuntu despite being a Linux distribution also collects Telemetry Data nowadays. This data however is quite limited compared to 
the others. More details on https://ubuntu.com/desktop/statistics Arcn've.org] 


Not only are Operating Systems gathering telemetry services but so are Apps themselves like Browsers, Mail Clients, and Social Networking 
Apps installed on your system. 
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you by an adversary that would get access to this data. 


i aliswe(ol-s-m ale) mm patsr-lalmie)mm->.¢- lan) e)(-muat-l male) e)(-melo\dlerctomr-|eoM (>) a0] 6)(> mera le)(e-1- 90) me [olole Ml ad aiYe-(e\’a @ualomualicwmaal(elaim (> lar-larellate bane but they are 
certainly not the best choices for (relative) Anonymity. They might protect you from third parties knowing what you are doing but not from 
themselves. In all likelihood, they certainly know who you are. 


Later in this guide, we will use all the means at our disposal to disable and block as much telemetry as possible to mitigate this attack vector 
in the Operating Systems supported in this guide. These will include Windows, macOS, and even Linux in some regard. 


See Appendix N: Warning about smartphones and smart devices 
Your Smart devices in general: 


bo} Ue [o) mi isanycolelmm-jant-luse)ale)ar>micwr-lamr-(oh’z-]a (eve mj obvi [ale lane (e7.d/alemelo\U(exom lat- 1s 
>> Records everything you say at any time (“Hey Siri’, “Hey Google”). 
>> Records your location everywhere you go. 
==> Always records other devices around you (Bluetooth devices, Wi-Fi Access points). 
>> Records your habits and health data (steps, screen time, exposure to diseases, connected devices data) 
==> Records all your network locations. 
>> Records all your pictures and videos (and most likely where they were taken). 


>> Has most likely access to most of your known accounts including social media, messaging, and financial accounts. 


Data is being transmitted even if you opt-out! 19, processed, and stored indefinitely (most likely Wiat-varevatzel(ve hauma) by various third parties !'°. 


But that is not all, this section is not called “Smartphones” but “Smart devices” because it is not only your smartphone spying on you. It is also 
every other smart device you could have: 


>> Your Smart Watch? (Apple Watch, Android Smartwatch ...) 


>> Your Fitness Devices and Apps '16°117 (Stravat&119 Fitbit'?°, Garmin, Polar'2', ra) 


>> Your Smart Speaker? (Amazon Alexa'22, Google Echo, Apple Homepod ...) 
mm (0)0| mes) pal- lam Be-lals) ee) ar-li(e) sian (Or: |mraneierele)i-\ ara) 
>> Your Smart Tags? (Apple Airlag, Galaxy SmartTag, Tile...) 


>> Your Car? (Yes, most modern cars have advanced logging/tracking features these days '29) 


>> Any other Smart device? There are even convenient search engines dedicated to finding them online: 
>> https://www.shodan.io/ 
>> https://censys.io/ 
>> https://www.zoomeye.org/ 
See Appendix N: Warning about smartphones and smart devices 


Conclusion: Do not bring your smart devices with you when conducting sensitive activities. 
Yourself: 


Your Metadata including your Geo-Location: 


Your metadata is all the information about your activities without the actual content of those activities. For instance, it is like knowing you had 


a Call from an oncologist before then calling your family and friends successively. You do not know what was said during the conversation, but 


you can guess what it was just from the metadata '2*. 


This metadata will also often include your location that is being harvested by Smartphones, Operating Systems (Natelxenie haan] (@\<) SIKO\WASYS ESF 


Apps, Websites. Odds are several companies are knowing exactly where you are at any time'@° because of Wrelels smartphone !2’. 


1PAs) 


This location data has been used in many judicial cases ‘~° already as part of “geofencing warrants” 129 that allow law enforcement to ask 


(oxo) an) ek=lal(=tomm (16 L010 r= Kom © 1elele] (-1/ Ne) 6)(>) -Mlls]me)mr= || (= )\(ex>15 ©) K=1s1-1 0] Me-)mr- ex>/aro| | alm (e\er-l0(e)a-lar- mex>)ar- liam tlaa(- mm lale-(ore/ii(o)ammialiom(oler-li(e)amer-lt-MIcm\V-1n) 
Yo) (ol ohVm ©) ahvc= ico mere)an] ex=Vall=\cmcomtal-ManlilicolavayUslemer-lamial-iamersiomi| conveniently '°2. These warrants are becoming widely used by law 


enforcement!?1’1927193_ 
If you want to experience yourself what a “geofencing warrant” would look like, here is an example: https://wigle.net/. 


Now let us say you are using a VPN to hide your IP. The social media platform knows you were active on that account on November 4th from 
8 am to 1 pm with that VPN IP. The VPN allegedly keeps no logs and cannot trace back that VPN IP to your IP. Your ISP however knows (or 





at least can know) you were connected to that same VPN provider on November 4th from 7:30 am to 2 pm but does not know what you were 
doing with it. 


The question is: Is there someone somewhere that would have both pieces of information EWEN F-le){- Maem (OLmerolac=\r-1(elaMlale-Mevevan'(-lallcval' 
database? 


Have you heard of Edward Snowden'?°? Now is the time to (ofeyeye) (=m alianm=lalemasy- (om alts book'?©. Also read about XKEYSCORE /2198 
MUSCULAR'?2, SORM "42, Tempora‘'*' /and PRISM '42. 


See “We kill people based on Metadata”'** or this famous tweet from the IDF https://twitter.com/idf/status/1125066395010699264 [Archive.org] 
[Nitter] 


See Appendix N: Warning about smartphones and smart devices 
Your Digital Fingerprint, Footprint, and Online Behavior: 


This is the part where you should watch the documentary “The Social Dilemma” '44 


eVaNe)al Ms) sioM Vm Om 


on Netflix as they cover this topic much better than 


This includes is the way you write (stylometry) 145146 the way you behave!*”’'48. The way you click. The way you browse. The fonts you 


use on your browser !49, Fingerprinting is being used to guess who someone is by the way that user is behaving. You might be using specific 
pedantic words or making specific spelling mistakes that could give you away using a simple Google search for similar features because you 


typed comparably on some Reddit post 5 years ago using a not so anonymous Reddit account'°". The words you type in a search engine 


alone can be used against you as the authorities now have warrants to find users who used specific keywords in search engines!°". 


Social Media platforms such as Facebook/Google can go a step further and can register your behavior in the browser itself. For instance, 
they can register everything you type even if you do not send it / save it. Think of when you draft an e-mail in Gmail. It is saved automatically 
as you type. They can register your clicks and cursor movements as well. 


All they need to achieve this in most cases is Javascript enabled in your browser (which is the case in most Browsers including Tor Browser 


by default). Even with Javascript disabled, there are still ways to fingerprint you !92. 


While these methods are usually used for marketing purposes and advertising, they can also be a useful tool for fingerprinting users. This is 
because your behavior is unique or unique enough that over time, you could be de-anonymized. 


Here are some examples: 


>> Specialized companies are selling to, for example, law enforcement agencies products for analyzing social network activities such as 
https://mediasonar.com/ [Archive.org] 


>> For example, as a basis of authentication, a user’s typing speed, keystroke depressions, patterns of error (Say accidentally hitting an 
instead of a “k” on three out of every seven transactions) and mouse movements establish that person’s unique pattern of behavior!®°. 


Some commercial services such as TypingDNA (https://www.typingdna.com/ !4"chive.orgl) even offer such analysis as a replacement for 
two-factor authentications. 


>> This technology is also widely used in CAPTCHAS'** services to verify that you are “human” and can be used to fingerprint a user. 
>> See Appendix A4: Counteracting Forensic Linguistics. 


Analysis algorithms could then be used to match these patterns with other users and match you to a different known user. It is unclear 
whether such data is already used or not by Governments and Law Enforcement agencies, but it might be in the future. And while this is 
mostly used for advertising/marketing/captchas purposes now. It could and probably will be used for investigations in the short or mid-term 
future to deanonymize users. 


Here is a fun example you try yourself to see some of those things in action: https://clickclickclick.click (no archive links for this one sorry). 
You will see it becoming interesting over time (this requires Javascript enabled). 


Here is also a recent example just showing what Google Chrome collects on you: 
https://web.archive.org/web/https://pbs.twimg.com/media/EwiUNHOUYAGLY 7V ?format=jpg&name=4096x4096 


Here are some other resources on the topic if you cannot see this documentary: 
>> 2017, Behavior Analysis in Social Networks, https://link.springer.com/10.1007/978-1-4614-7163-9_110198-1 [Archive.org] 


>> 2017, Social Networks and Positive and Negative Affect https://www.sciencedirect.com/science/article/pii/S 187 70428 11013747/pdf? 
md5=253d8f1bb615d5dee195d353dc077d46&pid=1-s2.0-S1877042811013747-main.paf [Archive.org] 


>> 2015, Using Social Networks Data for Behavior and Sentiment Analysis 
https://www.researchgate.net/publication/300562034 Using Social Networks Data for Behavior and Sentiment Analysis Archive.org] 


>> 2016, A Survey on User Behavior Analysis in Social Networks 
https://www.academia.edu/30936118/A_Survey_on_User Behaviour Analysis in Social Networks [A'chive.org] 


>> 2019, Influence and Behavior Analysis in Social Networks and Social Media https://sci-hub.se/10.1007/978-3-030-02592-2 [Archive.org] 


So, how can you mitigate these? 
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>> You should apply common sense and try to find your own patterns in your behavior and behave differently wnen using anonymous 
identities. This includes: 


>> The way you type (speed, accuracy...). 

==> The words you use (be careful with your usual expressions). 

>> The type of response you use (if you are sarcastic by default, try to have a different approach with your identities). 
>> The way you use your mouse and click (try to solve the Captchas differently than your usual way) 


>> The habits you have when using some Apps or visiting some Websites (do not always use the same menus/buttons/links to reach 
Vo) Ul amexe)al(=1019 B 
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anonymous identities. See Appendix A4: Counteracting Forensic Linguistics. 


Your Clues about your Real Life and OSINT: 
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board/forum/Reddit. In those posts, you might over time leak some information about your real life. These might be memories, experiences, 
or clues you shared that could then allow a motivated adversary to build a profile to narrow their search. 


q19s 


A real use and well-documented case of this was the arrest of the hacker Jeremy Hammon who shared over time several details about 


his past and was later discovered. 


There are also a few cases involving OSINT at Bellingcat'”®. Have a look at their very informative (but slightly outdated) toolkit here: 
alitexH#/e|olersMeloloye] (-Merolnayisielk-r-lelsiai-t-icHelMisiace ats) =\VAe Mb. d=sfoPe1M\ Na] |BIUI 62) a EN TA Anc)B) PAU laLeroeNL@)i-Velitzzelle Pc 0Y 2-90] 0) al men acrrese) 


You can also view some convenient lists of some available OSINT tools here if you want to try them on yourself for example: 


>> https://github.com/jivoi/awesome-osint [Archive.org] 
>> https://web.archive.org/web/20210426041234/https://jakecreps.com/tag/osint-tools/ 
>> https://osintframework.com/ 


>> https://recontool.org 
As well as this interesting Playlist on YouTube: https://www.youtube.com/playlist?list=PLrFPX1Vfqk3ehZKSFeb9pVIHgxqrNWe8Sy !nvidious] 
As well as those interesting podcasts: 
lah ad OX M/AWAWAYVALAle=)i¢ove1al alle 10 [=tomexe) pays oleleler-l-]malcan) 


You should never share real individual experiences/details using your anonymous identities that could later lead to finding your real identity. 
You will see more details about this in the Creating new identities section. 


Your Face, Voice, Biometrics, and Pictures: 


“Hell is other people”, even if you evade every method listed above, you are not out of the woods yet thanks to the widespread use of 
FeYoNé=1ale;>10 Ml mr-le-Ma=rerelelalin(e)ame)va-\V-1arelaloe 
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Companies like Facebook have used advanced face recognition for years and have been using other means (Satellite imagery) to 


create maps of “people” around the world'®?. This evolution has been going on for years to the point we can now say “We lost control of our 


faces” !90. 


If you are walking in a touristy place, you will most likely appear in someone's selfie within minutes without knowing it. That person could then 
go ahead and upload that selfie to various platforms (Twitter, Google Photos, Instagram, Facebook, Snapchat ...). Those platforms will then 
apply face recognition algorithms to those pictures under the pretext of allowing better/easier tagging or to better organize your photo library. 
In addition to this, the same picture will provide a precise timestamp and in most cases geolocation of where it was taken. Even if the person 


does not provide a timestamp and geolocation, it can still be guessed with other means 1617162. 


Here are a few resources for even trying this yourself: 


>> Bellingcat, Guide To Using Reverse Image Search For Investigations: https://www.bellingcat.com/resources/how-tos/201 9/1 2/26/guide- 
to-using-reverse-image-search-for-investigations/ Arch've.org] 


>> Bellingcat, Using the New Russian Facial Recognition Site SearchFace https://www.bellingcat.com/resources/how- 
tos/2019/02/19/using-the-new-russian-facial-recognition-site-searchface-ru/ [Archive.org] 





>> Bellingcat, Dali, Warhol, Boshirov: Determining the Time of an Alleged Photograph from Skripal Suspect Chepiga 
https://www.bellingcat.com/resources/how-tos/2018/10/24/dali-warhol-boshirov-determining-time-alleged-photograph-skripal-suspect- 


chepiga/ TaUKealiemelne) 
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verifying-video-content/ Archive.org] 


>> Bellingcat, Using the Sun and the Shadows for Geolocation https://www.bellingcat.com/resources/2020/12/03/using-the-sun-and-the- 
shadows-for-geolocation/ [Archive.org] 


>> Bellingcat, Navalny Poison Squad Implicated in Murders of Three Russian Activists https://www.bellingcat.com/news/uk-and- 
europe/2021/01/27/navalny-poison-squad-implicated-in-murders-of-three-russian-activists/ Archive.org] 


>> Bellingcat, Berlin Assassination: New Evidence on Suspected FSB Hitman Passed to German Investigators 
https://www.bellingcat.com/news/2021/03/19/berlin-assassination-new-evidence-on-suspected-fsb-hitman-passed-to-german- 


investigators/ Archive.org] 


>> Bellingcat, Digital Research Tutorial: Investigating a Saudi-Led Coalition Bombing of a Yemen Hospital 
https://www.youtube.com/watch?v=cAVZaPiVATA !nvidious] 


>> Bellingcat, Digital Research Tutorial: Using Facial Recognition in Investigations https://www.youtube.com/watch?v=awY87q2Mr0E 
[Invidious] 


>> Bellingcat, Digital Research Tutorial: Geolocating (Allegedly) Corrupt Venezuelan Officials in Europe https://www.youtube.com/watch? 
v=bS6gYWM4kzy HInvidious] 


Gait Recognition and Other Long-Range Biometrics 


16 64 {165:166:167 
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Even if you are not looking at the camera, they can still figure out who you are , analyze your gai 


read your lips 168 analyze the behavior of your eyes 169. r=] alo 0) xe) ey-10) hare [U(=tst-ma el 6] mm ole) ie(er-|mr=liilir-1eeyal 
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something uncomfortable in your shoe), as they analyze the way your body’s muscles move across your entire body, as you perform certain 
actions. The best way to fool modern gait recognition is to wear loose clothes that obscure the way your muscles move as you perform 
actions. 


Other things than can be used to identify you include your earlobes, which are actually more identifiable than fingerprints, or even the shape 
of your skull. As such, soft headcoverings such as balaclavas are not recommendable for obscuring your identity - they make you look 
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(Illustration from https://www.nature.com/articles/s41598-020-79310-1 [Archive.org]) 





Data commonly captured 
by eye trackers 


eye opening and closure 


(e.g., blink duration and frequency, 
avg. distance between eyelids) 


eye movements 


(e.g., gaze fixations, saccades, 
smooth pursuit, ocular tremor) 


eye status 


(e.g., reddened, 
watery, dry) 


pupil properties 
(e.g., pupil size, 
pupil reactivity) 


iris characteristics 


(e.g., eye color, 
iris texture) 


facial attributes 


(e.g., wrinkles, eye shape, 
skin color, facial expressions) 
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Those platforms (Google/Facebook) already know who you are for a few reasons: 


>> Because you have or had a profile with them, and you identified yourself. 


>> Even if you never made a profile on those platforms, you still have one without even knowing it 


>> Because other people have tagged you or identified you in their holidays/party pictures. 


>> Because other people have put a picture of you in their contact list which they then shared with them. 


Here is also an insightful demo of Microsoft Azure you can try for yourself at 
where you can detect emotions and compare faces from different pictures. 


Governments already know who you are because they have your ID/Passport/Driving License pictures and often added biometrics 
(Fingerprints) in their database. Those same governments are integrating those technologies (often provided by private companies such as 
the Israeli AnyVision''’, Clearview Al''°’''*, or NEC '°*) in their CCTV networks to look for “persons of interest” ’°'. And some heavily 


surveilled states like China have implemented widespread use of Facial Recognition for various purposes Takes (6 (e [Tare my eXesss=)16)hauce (lal tiaysiale| 
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Here are some resources detailing some techniques used by Law Enforcement today: 


>> CCC video explaining current Law Enforcement surveillance capabilities: 


eo S: 
Apple is making FacelD mainstream and pushing its use to log you into many services including the Banking systems. 


The same goes with fingerprint authentication being mainstreamed by many smartphone makers to authenticate yourself. A simple picture 
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The same goes with your voice which can be analyzed for various purposes as shown in the recent Spotify patent 


Even your iris can be used for identification in some places 
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suitable time to re-watch Gattaca’~’, Person of Interest'** , and Minority Report'’’). And you can safely imagine how useful these large 
biometrics databases could be to some interested third parties. 
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information (Pictures, Videos, Voice Recordings '2"...) and have already been used for such purposes 198199. There are even commercial 


services for this readily available such as https://www.respeecher.com/ [Archive.org] and https://www.descript.com/overdub [Atchive.org], 
See this demo: https://www.youtube.com/watch?v=t5yw5cR79VA lnvidious] 


At this time, there are a few steps Vo] mer=|aUlsX- MOM palitier-l(-me-lalome)al hm aalit(et-lic9 Mr- (exo eovevelelallive)amuiar>iamere)ace [Ole aremcy-)arsyiuhom=lel\MIM(stomW alo) a> 
CCTV might be present: 


>> Wear a facemask as they have been proven to defeat some face recognition technologies7?' but not all292. 
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>> Wear sunglasses in addition to the facemask and baseball cap to mitigate identification from your eye’s features. 


>> Consider wearing special sunglasses (expensive, unfortunately) called “Reflectacles” https://www.reflectacles.com/ !A'chive.org]_ There 


was a small study showing their efficiency against IBM and Amazon facial recognition2°°. 


>> All that might still be useless because of gait recognition mentioned earlier but there might be hope here if you have a 3D Printer: 
https://gitlab.com/FG-01/fg-01 [Archive.org] 


(see [Gait Recognition and Other Long-Range Biometrics]) 


(Note that if you intend to use these where advanced facial recognition systems have been installed, these measures could also flag as you 
as suspicious by themselves and trigger a human check) 


Phishing and Social Engineering: 


Sy alsvallale pa is a social vate llae\lalave paws type of attack where an adversary could try to extract information from you by pretending or 
aa} eX=)asxe)ar=\eiale move) aat=veall ave lAcve)aalsve)al-M>) ioe 


A typical case is an adversary using a man-in-the-middle*» attack or a fake e-mail/call to ask for your credential for a service. This could for 
=> ¢l an) e)(=M els mialcelulelam=maal-lime)minlcelecelamiaalel>lesvelar=iiialemilat-lalei(-lmes\- aUlecice 


Such attacks can also be used to de-anonymize someone by tricking them into downloading malware or revealing personal information over 
time. The only defense against those is not to fall for them and common sense. 


These have been used countless times since the early days of the internet and the usual one is called the “419 scam” (see 
https://en.wikipedia.org/wiki/Advance-fee_scam !Wikiless] [Archive.org])_ 


Here is a good video if you want to learn a bit more about phishing types: Black Hat, Ichthyology: Phishing as a Science 
https://www.youtube.com/watch?v=Z20XNp-luNA L!nvidious]_ 


Malware, exploits, and viruses: 


Malware in your files/documents/e-mai ls: 


Using steganography or other techniques, it is easy to embed malware into common file formats such as Office Documents, Pictures, Videos, 
PDF documents... 


These can be as simple as HTML tracking links or complex targeted malware. 


These could be simple pixel-sized images*26 hidden in your e-mails that would call a remote server to try and get your IP address. 
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your system. 
See these good videos for more explanations on the matter: 
>> What is a File Format? https://www.youtube.com/watch?v=VVdmmNOsu6E !!nvidious] 
>> Ange Albertini: Funky File Formats: https://www.youtube.com/watch?v=hdCs6bPM4is /!nvidious] 


You should always use extreme caution. To mitigate these attacks, this guide will later recommend the use of virtualization (See Appendix W: 
AVdlaierel|pZelilelap mcomanliier=icoml=r-1.dlalem-Vahvalaliolaaat=1s(e]am=y'.>1a Mla mer-l-{- me) me) e\-/allale mie (e1alr-magts|/(e (ele smil(- 


If you want to learn how to try detecting such malware, see Appendix T: Checking files for malware 


Malware and Exploits in your apps and services: 


So, you are using Tor Browser or Brave Browser over Tor. You could be using those over a VPN for added security. But you should keep in 


VAs) ( 


laaliate mm tar imlatslaom-laom=».40)(@)] 6) hacks) that could be known by an adversary (but unknown to the App/Browser provider). Such exploits could 


be used to compromise your system and reveal details to de-anonymize you such as your IP address or other details. 
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A real use case of this technique was the Freedom Hosting??? case in 2013 where the FBI inserted malware '~ using a Firefox browser 


exploit on a Tor website. This exploit allowed them to reveal details of some users. More recently, there was the notable ISYol TAA Tate Isalaum avzver'¢ 
that breached several US government institutions by inserting malware into an official software update server. 


In some countries, Malware is just mandatory and/or distributed by the state itself. This is the case for instance in China with WeChat?!2 


WMallolamerclamtat-laMol-MUTsv-ToMlaMevo)ealellateltfelamiitamerlatslaxel-ltcWielmciry(- Ms] alZ-11lf-lalers cole 


There are countless examples of malicious browser extensions, smartphone apps, and various apps that have been infiltrated with malware 
over the years. 


Here are some steps to mitigate this type of attack: 
>> You should never have 100% trust in the apps you are using. 


>> You should always check that you are using the updated version of such apps before use and ideally validate each download using 
their signature if available. 


>> You should not use such apps directly from a hardware system but instead, use a Virtual Machine for compartmentalization. 


To reflect these recommendations, this guide will therefore later guide you in the use of Virtualization (See Appendix W: Virtualization) so that 
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even if your Browser/Apps get compromised by a skilled adversary, that adversary will find himself stuck in a sandbox '* without being able 


to access identifying information or compromise your system. 


Malicious USB devices: 


There are readily available commercial and cheap “badUSB” 215devices that can take deploy malware, log your typing, geolocate you, listen 
to you or gain control of your laptop just by plugging them in. Here are some examples that you can already buy yourself: 


>> Hak5, USB Rubber Ducky https://shop.hak5.org/products/usb-rubber-ducky-deluxe [A’chive.org] 
>> Hak5, O.MG Cable https://www.youtube.com/watch?v=V5mBJHotZv0 !!nvidious] 
>> Keelog https://www.keelog.com/ Archive.org] 


>> AliExpress https://www.aliexpress.com/i/4000710369016.html [Archive.org] 


Such devices can be implanted anywhere (charging cable, mouse, keyboard, USB key ...) by an adversary and can be used to track you or 


(oxo) an} e)xe)anlis{=mnvZel0] mmexe)an]6)0i>1are) mye n=1al0)are)al-mmm Mal-Maales-jmale)r-l6)(- m=» ¢-1 90] e)(>me) mle lelal-)ir- (61, com om e)ge)ey-le) hy Stuxnet?'© in 2005. 


While you could inspect a USB key physically, scan it with various utilities, check the various components to see if they are genuine, you will 
most likely never be able to discover complex malware embedded in genuine parts of a genuine USB key by a skilled adversary without 
advanced forensics equipment?!” 

To mitigate this, you should never trust such devices and plug them into sensitive equipment. If you use a charging device, you should 
(oxo) ats J(0 [1m ial- MO ls\o MO) m= Ole) = Mor ir- lm e)(ele1.dialeme(-\//(e:-mcar-1mu7l|me)alhvar=li(e\meval-1ne]/alem ol0lmalelar-la\mer-lt-lmtr-lal<)i-) mmole (ea ler-it-ll e)(ele1.dialeme(-\Vle-somr-l cma le) 
Inere\oll Ware Ncclit=le)(o ml am ant=lahvae)alilalsms)are) ols C010 i-)a(010](oMr-|tsYom ere) at-}(e(=) mel lt-16) || ale Oto) =m ole)atsmero)na]e)(-1¢-)\MN lial la mtalcM =| Oho me) mvZol0 | meve)an|el0ic>) mul al(=tsy—) 
you need them (if you can). 


Malware and backdoors in your Hardware Firmware and Operating System: 


This might sound a bit familiar as this was already partially covered previously in the Your CPU section. 


Malware and backdoors can be embedded directly into your hardware components. Sometimes those backdoors are implemented by the 
manufacturer itself such as the IME in the case of Intel CPUs. And in other cases, such backdoors can be implemented by a third party that 


places itself between orders of new hardware and customer delivery2'®. 


Such malware and backdoors can also be deployed by an adversary using software exploits. Many of those are called rootkits*'? within the 


tech world. Usually, these types of malware are harder to detect and mitigate as they are implemented at a lower level than the userspace?~2 
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and often in the firmware«<' of hardware components itself. 


What is firmware? Firmware is a low-level operating system for devices. Each component in your computer probably has firmware including 


for instance your disk drives. The BIOS?22/UEFI#22 system of your machine for instance is a type of firmware. 
i Mat=ss{-Mer-lame-)|(e\Wmu=vonle)(=m par=lar-\e(-vaal>1almr=lale ml n= Mer-]er=]e)(-Me)m-)al-le)|i are mieli meve)alige)me)mr-Mt-1ce(-1m-)\cc)(- 10 acyl (alahvaralalemeci(creTitalinya 


As mentioned previously, these are harder to detect by users but some limited steps that can be taken to mitigate some of those by 
protecting your device from tampering and use some measures (like re-flashing the bios for example). Unfortunately, if such malware or 
backdoor is implemented by the manufacturer itself, it becomes extremely difficult to detect and disable those. 

Your files, documents, pictures, and videos: 


Properties and Metadata: 


This can be obvious to many but not to all. Most files have metadata attached to them. Good examples are pictures that store EXIF224 
ayce)aaarslice)amzalcevamers|amale)(om- mle) mem lalcelaaat-li(e)amci0 (ea i=l ©] exo Mm erolo) nel lar-i¢-topmnvial lei aMer=laal=1e- 1) 0)a(e)alom ancee(=)m (ele) @liem-lale Mu ial-\amimy\cctsmrel cola 





lo) g=Yorks{=) VAM AUATI(oM tal ismlaice)maat=)e(e)amanl(e|almarelmel|aover hae] \>molU) m2 ao M\{0l0 r-lx- Ml merole|(oM(-1|m->.¢- [el \A alam OLU MN) k Mra mr; mex=)ar-llamanle)aalc lam Zale amexele|(o) 
allow others to use various sources to find you (CCTV or other footage taken at the same place at the same time during a protest for 

Taksir= laters) mm COLUM aa TUIS)MacvalAVar=|aNVAnil(>Mn'ZOL0ImY(016] (0M OLU] me)alm (ale-1-m )t-10(0)unatsmnie)mr-lahvale)ge)el-ad(-somtar- lm anl(e|aymace)(om-lahvmlavie)aaat-liie)ameat-lmanl(elalm (stole ey-(e]qnce) 
you. 
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— GPS Altitude 31.9m 

— GPS Latitude 6deqg 14' 7.620" 

— GPS Longitude 106deg 49' 30.210" 

— Date and Time 2018:08:24 15:47:2T 
— Manufacturer Apple 

— Model iPhone 65 


Aperture F2.2 
— Exposure Bias OEV 
— Exposure Mode Auto 
— Exposure Program Auto 
— Exposure Time 1/874 5 
— Flash No, auto 
— FNumber F2.2 
— Focal Length 4.2mm 
— 150 Speed Ratings 25 
— Metering Mode Multi-segment 
— Shutter speed 1/874 5 
— White Balance Auto 


(Illustration from Wikipedia) 


This also works for videos. Yes, videos too have geo-tagging, and many are very unaware of this. Here Is for instance a very convenient tool 


to geo-locate YouTube videos: https://mattw.io/youtube-geofind/location Archive.org] 


For this reason, you will always have to be incredibly careful when uploading files using your anonymous identities and check the metadata 
(om taloys{- Mil (o\ 
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Watermarking: 
Pictures/Videos/Audio: 


Pictures/Videos often contain visible watermarks indicating who is the owner/creator but there are also invisible watermarks in various 
products aiming at identifying the viewer itself. 


Yom IMVOlUM=1k-mr- MV alisii(=v6)(0)\\(21mralalemalialdiavepr-lelelelm(st-1.dlare mcve)anlom o)(eii0]n-yc-16 Le] (@yavs(e(-(o mil (> Mam Malla) Quan (exo Mmm Mal=la-mr- a> Meval<lalecsomlar-lmlarecsiomanl(elalt 
contain invisible watermarking within them that would include information about you as a viewer. Such watermarks can be enabled with a 


simple switch in like Zoom (Video??° or NT rel(ovacaan| or with extensions?’ for popular apps such as Adobe Premiere Pro. These can be 
inserted by various content management systems. 


For a recent example where someone leaking a Zoom meeting recording was caught because it was watermarked: 
https://theintercept.com/2021/01/18/leak-zoom-meeting/ [Tor Mirror] [Archive.org] 


228:229:230:231 232 2 


Such watermarks can be inserted by various products and can resist compression 33 and re- 


234235, 


UESJTave Me) ccrer-larelele-leahy 


=TaTeveleliare| 
These watermarks are not easily detectable and could allow identification of the source despite all efforts. 


In addition to watermarks, the camera used for filming (and therefore the device used for filming) a video can also be identified using various 
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Be extremely careful when publishing videos/pictures/audio files from known commercial platforms as they might contain such invisible 
watermarks in addition to details in the images themselves. There is no guaranteed 100% protection against those. You will have to use 
common sense. 


Printing watermarking: 


Did you know your printer is most likely spying on you too? Even if it is not connected to any network? This is usually a known fact by many 
fol=Yo)e){- ml am ial>m Mm Mmexe)anlaal0lalinvaelelmi=))\mel6)«-)(6(-m e\-10)e)(-m 


Yes ... Your printers can be used to de-anonymize you as well as explained by the EFF here hitps://www.eff.org/issues/printers [Archive.org] 


With this (old but still relevant) video explaining how from the EFF as well: https:/Awww.youtube.com/watch?v=izMGMsIZK4U [Invidious] 
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Steganography? ’. There is no tangible way to mitigate this but to inform yourself on your printer and make sure it does not print any invisible 


We 11 aa al= 18 eam alicMcM| gn) ee) ar= lal Mi imole mi aic=)alem (om e)alalm-lare)ahvanlelelsihyA 


Here is an (old but still relevant) list of printers and brands who do not print such tracking dots provided by the EFF 


https://www.eff.org/pages/list-printers-which-do-or-do-not-display-tracking-dots [Archive.org] 
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Pixelized or Blurred Information: 


Did you ever see a document with blurred text? Did you ever make fun of those movies/series where they “enhance” an image to recover 
seemingly impossible-to-read information? 


Well, there are techniques for recovering information from such documents, videos, and pictures. 


Here is for example an open-source project you could use yourself for recovering text from some blurred images yourself: 
https://github.com/beurtschipper/Depix [Archive.org] 


Hello from the other 





This is of course an open-source project available for all to use. But you can imagine that such techniques have probably been used before 
by other adversaries. These could be used to reveal blurred information from published documents that could then be used to de-anonymize 
you. 


There are also tutorials for using such techniques using Photo Editing tools such as GIMP such as 
Mller AanrevellUlaaMevodnayi@Ssolaatel-\Vesr-lare i 7-aYiUlale)(laatare minaretel-tsmielexersilalerclalemiaalelncws er-lacem bret-1-%1o%0]0\st-¥A0) of mca eI Co) fo nt -Te fl ont 
alilexH/aaleCollUlaaRerolanl@sodaatel-aiecr-lare revaliel-lelllaatavem nay-Ve(-tom (olmretst ales oy-lataan of Lalor r-1(st-\oote fm ieicllaaill ales 





Finally, you will find plenty of deblurring resources here: https://github.com/subeeshvasu/Awesome-Deblurring A'ch've-org] 
Some online services could even help you do this automatically to some extent like MyHeritage.com enhance tool: 
https://www.myheritage.com/photo-enhancer [Archive.org] 


Here is the result of the above image: 








Of course, this tool is more like “guessing” than really deblurring at this point, but it could be enough to find you using various reverse image 
searching services. 


For this reason, it is always extremely important that you correctly redact and curate any document you might want to publish. Blurring is not 
enough, and you should always completely blacken/remove any sensitive data to avoid any attempt at recovering data from any adversary. 
IDXom ato)m 0))<-)| 74:10 mmole mm alo)me)i0) em [0\-1m 0lU)ar- lm at-|x0 me) t-(e1,qlu-\eir-lale|(-mcoma-\or- (erm |alie)sanr-li(e)an 


Your Cryptocurrencies transactions: 


Contrary to widespread belief, Crypto transactions (such as Bitcoin and Ethereum) are not anonymous~°2. Most cryptocurrencies can be 


tracked accurately through various methods240:241 


Remember what they say on their page: https://bitcoin.org/en/you-need-to-know [A'chive.org] and https://bitcoin.org/en/protect-your-privacy 


[Archive.org]. “Bitcoin is not anonymous” 


The main issue is not setting up a random Crypto wallet to receive some currency behind a VPN/Tor address (at this point, the wallet is 
anonymous). The issue is mainly when you want to convert Fiat money (Euros, Dollars ...) to Crypto and then when you want to cash in your 
Crypto. You will have few realistic options but to transfer those to an exchange (such as Coinbase/Kraken/Bitstamp/Binance). Those 


exchanges have known wallet addresses and will keep detailed logs (due to KYC?2*? financial regulations) and can then trace back those 


(ofa 6) (omte-latsy-\e1(e)alomcomZele mel-yi ale mualomilar-lalerte) system2*°, 


There are some cryptocurrencies with privacy/anonymity in mind like Monero but even those have some and warnings to consider24“’249. 
Even if you use Mixers or Tumblers24© (SX=Tavd(orstom vale lms) ol-\et=] [742m la mmr= ale) anyanlr4jale Maxei avs e)coler|an-varel(>\-m ohm anld.jale mm tal= ane Mm.=1>) emia manlialemsaliom cme) alhy 


elon ULsyor=1 (el aramiaar-lale Marela@r-(e(tr-] anonymity27°. Not only are they only obfuscation but they could also put you in trouble as you might end up 


exchanging your crypto against “dirty” crypto that was used in various questionable contexts2*°, 


This does not mean you cannot use Bitcoin anonymously at all. You can actually use Bitcoin anonymously as long as you do not convert it to 
actual currency and use a Bitcoin wallet from a safe anonymous network. Meaning you should avoid KYC/AML regulations by various 
exchanges and avoid using the Bitcoin network from any known IP address. See Appendix Z: Paying anonymously online with BTC (or any 
other cryptocurrency). 
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other for sensitive transactions unless you are aware of the limitations and risks involved. Please do read Appendix B2: Monero 
Disclaimer. 


TLDR: Use Monero! 
Your Cloud backups/sync services: 


All companies are advertising their use of end-to-end encryption (E2EE). This is true for almost every messaging app and website (HTTPS). 
Apple and Google are advertising their use of encryption on their Android devices and their iPhones. 


But what about your backups? Those automated iCloud/Google Drive backups you have? 


Well, you should know that most of those backups are not fully end-to-end encrypted and will hold some of your information readily available 
for a third party. You will see their claims that data is encrypted at rest and safe from anyone ... Except they usually do keep a key to access 
some of the data themselves. These keys are used for them indexing your content, recover your account, collecting various analytics. 


There are specialized commercial forensics solutions available (Magnet Axiom?°", Cellebrite Cloud2°") that will help an adversary analyze 
your cloud data with ease. 
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>> Apple iCloud: https://support.apple.com/en-us/HT202303 [A'chive.org] - “\jegsages in iCloud also uses end-to-end encryption. If you have 
iCloud Backup turned on, your backup includes a copy of the key protecting your Messages. This ensures you can recover your 
Messages if you lose access to iCloud Keychain and your trusted devices. “. 


>> Google Drive and WhatsApp: https://fag.whatsapp.com/android/chats/about-google-drive-backups/ A'chive.org]. «wiedia and messages 
Lol Um oy- lod MU) om-lu-1a lame) nol c-Leori-tomohVm A UaT-le-yANe) OM-lalecivon-Valem-Jalevargeiicelamydall(-Mmlamererete|(-m Dd hi(- Mmmm Blom ale)iV(-\-1mmalel(omuarel! 





Facebook/Whatsapp have announced the rollout of encrypted backups on October 144th’ 2021 
(https://about.fb.com/news/2021/10/end-to-end-encrypted-backups-on-whatsapp/ [A'chive.org]) which should solve this issue. 


>> Dropbox: https://www.dropbox.com/privacy#terms |A'chive.org] “To provide these and other features, Dropbox accesses, stores, and 
scans Your Stuff. You give us permission to do those things, and this permission extends to our affiliates and trusted third parties we 
work with’. 


>> Microsoft OneDrive: https://privacy.microsoft.com/en-us/privacystatement !Archive.org]. Productivity and communications products, 
“When you use OneDrive, we collect data about your usage of the service, as well as the content you store, to provide, improve, and 
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You should not trust cloud providers with your (not previously and locally encrypted) sensitive data and you should be wary of their privacy 


claims. In most cases, they can access your data and provide it to a third party if they want to??? 


The only way to mitigate this is to encrypt your data on your side and then only upload it to such services or just not use them at all. 


Your Browser and Device Fingerprints: 


293 are set of properties/capabilities of your System/Browser. These are used on most websites for 


Your Browser and Device Fingerprints 
invisible user tracking but also to adapt the website user experience depending on their browser. For instance, websites will be able to 
provide a “mobile experience” if you are using a mobile browser or propose a specific language/geographic version depending on your 
fingerprint. Most of those techniques work with recent Browsers like Chromium-based2°* browsers (such as Chrome/Edge) or Firefox2°° 


unless taking specific measures. 

b(o)0imer-lailave m= (e)me)me(-1r-ll(=10 Mialie)anat-li(e)amr-lacem el0)e)|(er-li(e)alow-lolel0] mialicme)amial-ts\-Maors10)0| ce\o1op 
>> https://amiunique.org/links Archive.org] 
>> https://brave.com/brave-fingerprinting-and-privacy-budgets/ !A’chive.org] 


Most of the time, those fingerprints will, unfortunately, be unique or nearly unique to your Browser/System. This means that even If you log 
fol] mm ixe)pamr-MAN{=1e)<)|(-mr- ale msal=/a (elem oy-(e1.@l ame l-y[alem-Mellii=)x>)alm@elsi>1sal-lparcmmycelelmmilacet-yae)alalmonliclalma>lear-liamia(-mcr-laal-Mimy(eleme|(o male) mr-|.<om 6) x-\er-lU1N(e)ar- lay 
measures. 


An adversary could then use such fingerprints to track you across multiple services even if you have no account on any of them and are 
using adblocking. These fingerprints could in turn be used to de-anonymize you if you keep the same fingerprint between services. 


It should also be noted that while some browsers and extensions will offer some fingerprint resistance, this resistance in itself can also be 


used to fingerprint you as explained here https://palant.info/2020/12/10/how-anti-fingerprinting-extensions-tend-to-make-fingerprinting-easier/ 
[Archive.org] 
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Virtualization (See Appendix W: Virtualization), using specific recommendations (See Appendix A5: Additional browser precautions with 
JavaScript enabled and Appendix V1: Hardening your Browsers) and using by fingerprinting resistant Browsers (Brave and Tor Browser). 


Local Data Leaks and Forensics: 


Most of you have probably seen enough Crime dramas on Netflix or TV to know what forensics are. These are technicians (usually working 
for law enforcement) that will perform various analysis of evidence. This of course could include your smartphone or laptop. 
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border check. These unrelated checks might reveal secret information to adversaries that had no prior knowledge of such activities. 


Forensics techniques are now very advanced and can reveal a staggering amount of information from your devices even if they are 


encrypted2°°. These techniques are widely used by law enforcement all over the world and should be considered. 
Here are some recent resources you should read about your smartphone: 


>> UpTurn, The Widespread Power of U.S. Law Enforcement to Search Mobile Phones https://www.upturn.org/reports/2020/mass- 
extraction/ Archive.org] 


>> New-York Times, The Police Can Probably Break Into Your Phone https://www.nytimes.com/2020/10/21/technology/iphone-encryption- 
police.html [Archive.org] 


>> Vice, Cops Around the Country Can Now Unlock iPhones, Records Show hitps://www.vice.com/en/article/vbxxxd/unlock-iphone-ios11- 
graykey-grayshift-police [Archive.org] 


| also highly recommend that you read some documents from a forensics examiner perspective such as: 
==> EnCase Forensic User Guide, http://encase- 


docs.opentext.com/documentation/encase/forensic/8.07/Content/Resources/External%20Files/EnCase%20Forensic%20v8.07%20User%20Guide.pd 
aKa i=melce) 


>> FTK Forensic Toolkit, https://accessdata.com/products-services/forensic-toolkit-ftk Archive-org] 





>> SANS Digital Forensics and Incident Response Videos, https://www.youtube.com/c/SANSDigitalForensics/videos 


And finally, here is this very instructive detailed paper on the current state of 1OS/Android security from the John Hopkins University: 


https://securephones.io/main.html2?’. 


When it comes to your laptop, the forensics techniques are many and widespread. Many of those issues can be mitigated by using full disk 
encryption, virtualization (See Appendix W: Virtualization), and compartmentalization. This guide will later detail such threats and techniques 
vom anliiterolomual-1p08 
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There is a frequent adage among the infosec community: “Don’t roll your own crypto!”. 


And there are reasons22?’299’260'261 for that: 


AY V.o)0} (ol alo) MNYr- alm eL=xe) 0) (= Mel lsvero)0) r-(e[-10 mixe)anm-}i0le\alalem-lalemlalare)yc- tare Malm ial>Meiay,6)(omi(-)(0 mm el-\er-|Uf-\-Me)mm tat-lmr-(er-(e[- Meson [al-](-t-(0 Mm AUYel6) (0 mater) anlgarcyare, 
people to be cautious with “Roll your own crypto” because it is not necessarily good crypto: 


>> Good cryptography is not easy and usually takes years of research to develop and fine-tune. 

>> Good cryptography is transparent and not proprietary/closed source so it can be reviewed by peers. 

>> Good cryptography is developed carefully, slowly, and rarely alone. 

>> Good cryptography is usually presented and discussed in conferences and published in various journals. 
>> Good cryptography is extensively peer-reviewed before it is released for use in the wild. 

>> Using and implementing existing good cryptography correctly is already a challenge. 


Yet, this is not stopping some from doing it anyway and publishing various production Apps/Services using their self-made cryptography or 
proprietary closed-source methods: 


==> You should apply caution when using Apps/Services using closed-source or proprietary encryption methods. All the good crypto 
standards are public and peer-reviewed and there should be no issue disclosing the one you use. 


==> You should be wary of Apps/Services using a “modified” or proprietary cryptographic method?©2. 


>> By default, you should not trust any “Roll your own crypto” until it was audited, peer-reviewed, vetted, and accepted by the cryptography 
community26?2. 


>> There is no such thing as “military-grade cyto. 
(© ae) Cole] ¢=]¢)a\valswr= exe) 00] ©)(>>.ance) e)(omr- [alo mm o-(o mel ays e)cole]e-|)ahvmexe)e] (0m =t-1-)| \’msr-(em(emel0] mel-mr-lale)a\ianlr4- lle) ap 
In the context of this guide, | recommend sticking to Apps/Services using well-established, published, and peer-reviewed methods. 


So, what to prefer and what to avoid as of 2021? You will have to look up for yourself to get the technical details of each app and see if they 
are using “bad crypto” or “good crypto”. Once you get the technical details, you could check this page for seeing what it is worth: 
https://latacora.micro.blog/2018/04/03/cryptographic-right-answers.html [Archive.org] 


Here are some examples: 
>> Hashes: 
>> Prefer: SHA-3 or BLAKE22°° 
>> Still relatively ok to use: SHA-2 (such as the widely used SHA256 or SHA512) 
>> Avoid: SHA-1, MD5 (unfortunately still widely used), CRC, MD6 (rarely used) 
=> File/Disk Encryption: 


>> Prefer: 


>> Hardware Accelerated?°9: AES (Rijndael) 256 Bits with HMAC-SHA-2 or HMAC-SHA-3 (This is what Veracrypt, Bitlocker, 
Filevault 2, KeepassXC, and LUKS use by default). Prefer SHA-3. 


>> Non-Hardware Accelerated: Same as accelerated above or if available consider: 


>> ChaCha202” or XChaCha20 (You can use ChaCha20 with Kryptor https://www.kryptor.co.uk, unfortunately, it is not 
available with Veracrypt). 


a Serpent?" 
>> TwoFish?/2 


>> Avoid: Pretty much anything else 


>> Password Storage: 





>> Prefer: argon2, scrypt, bcrypt, or if not possible at least PBKDF2 (only as a last resort) 
>> Avoid: SHA-3, SHA-2, SHA-1, MD5 

>> Browser Security (HTTPS): 
>> Prefer: TLS 1.3 (ideally TLS 1.3 with ECH/eSNI support) or at least TLS 1.2 (widely used) 
>> Avoid: Anything Else (TLS =<1.1, SSL =<3) 

>> Signing messages/files with PGP/GPG: 


>> Prefer ECDSA (ed25519)+ECDH (ec25519) or RSA 4096 Bits* 


>> Consider a more modern?’”° alternative to PGP/GPG: Minisign https://jedisct1.github.io/minisign/ 4°"'ve-0'9! 
>> Avoid: RSA 2048 bits 
>> SSH keys: 
>> ED25519 (preferred) or RSA 4096 Bits* 


>> Avoid: RSA 2048 bits 


=> Warning: RSA and ED25519 are unfortunately not seen as “Quantum Resistant”? and while they have not been broken yet, 
they probably will be broken someday into the future. It is just a matter of when rather than if RSA will ever be broken. So, 
dalck-X:Me-1 a=W O) a= 1i-) a c=Xe Mam aves-{- Mere) alc->.4c-MolU(-M com aac: [let @eym-Mel-1ac-)m eles-t-y]e) | [lave 


Here are some real cases of issues bad cryptography: 
>> Telegram: https://democratic-europe.eu/2021/07/20/cryptographers-uncover-four-vulnerabilities-in-telegram/ [Archive.org] 
>> Telegram: https://buttondown.email/cryptography-dispatches/archive/cryptography-dispatches-the-most-backdoor-looking/ A”chive.org] 
>> Cryptocat: https://web.archive.org/web/20130705051050/https://blog.crypto.cat/2013/07/new-critical-vulnerability-in-cryptocat-details/ 
>> Some other examples can be found here: https://www.cryptofails.com/ [Archive.org] 
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Many people have the idea that privacy-oriented services such as VPN or E-Mail providers are safe due to their no-logging policies or their 
encryption schemes. Unfortunately, many of those same people forget that all those providers are legal commercial entities subject to the 
laws of the countries in which they operate. 
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Any of those providers can be forced to silently (without your knowing (using for example a court order with a gag order~‘” or a national 


security letter?/©) log your activity to de-anonymize you. There have been several recent examples of those: 


>> 2021, ProtonMail, ProtonMail logged IP address of French activist after an order by Swiss authorities? //. 


>> 2021, WindScribe, Servers were not encrypted as they should have been allowing MITM attacks by authorities? ’°. 


>> 2021, DoubleVPN servers, logs, and account info seized by law enforcement?’2. 


>> 2021, The Germany-based mail provider Tutanota was forced to monitor specific accounts for 3 months222, 


>> 2020, The Germany-based mail provider Tutanota was forced to implement a backdoor to intercept and save copies of the unencrypted 


281 ( 


e-mails of one user they did not decrypt the stored e-mail). 


>> 2017, PureVPN was forced to disclose information of one user to the FBIZ82. 


>> 2014, an EarthVPN user was arrested based on logs provider to the Dutch Police2®°. 


>> 2013, Secure E-Mail provider Lavabit shuts down after fighting a secret gag order2®*. 


==> 2011, HideMyAss user was de-anonymized, and logs were provided to the FBIZ°°. 


Sie) aal=m eo) Kedlel= les ar=hcmlan] ois )aalsvalccremeal-MUls(-me)m-MAlcolse-lalt Canary2®6 that would allow their users to find out if they have been compromised by 
such orders, but this has not been tested yet as far as | know. 


Finally, it is now well known that some companies might be sponsored front ends for some state adversaries (see the Crypto AG story2°/ FeTale| 


Omnisec story2°°). 


For these reasons, you mustn’t trust such providers for your privacy despite all their claims. In most cases, you will be the last person to know 
if any of your accounts were targeted by such orders and you might never know at all. 


To mitigate this, in cases where you want to use a VPN, | will recommend the use of a cash/Monero-paid VPN provider over Tor to prevent 
the VPN service from knowing any identifiable information about you. 





If the VPN provider knows nothing about you, it should mitigate any issue due to them not logging but logging anyway. 


Some Advanced targeted techniques: 





(Illustration: an excellent movie | highly recommend: Das Leben der Anderen 


289) 


Fe Ta hVaar= lo h¥e=lalexcvo im coYo1a]al(o]0(-sser-] am Ol-mUl-1-10 Mm O)VAR).<II(s10 adversaries”? to bypass your security measures provided they already know where your 


devices are. Many of those techniques are detailed here https://cyber.bgu.ac.il/advanced-cyber/airgap A"°"'ve-org] (Air-Gap Research Page, 
Cyber-Security Research Center, Ben-Gurion University of the Negev, Israel) but also in this report https://www.welivesecurity.com/wp- 


content/uploads/2021/12/eset_jumping the air gap _wp.pdf lArchive.org] (ESET, JUMPING 


THE AIR GAP: 15 years of nation-state effort) and include: 


==> Attacks requiring malware implants: 


> 


>> 


>> 


>> 


>> 


>> 


>> 


>> 


>> 


>> 


>> 


>> 


>> 


>> 


>= 


Exfiltration of Data through a Malware infected Router: https://www.youtube.com/watch?v=mSNt4h7EDKo [Pevneeim 


Exfiltration of Data through observation of Light variation in a Backlit keyboard with a compromised camera: 
https://www.youtube.com/watch?v=1kBGDHVr7x0 |nvidious] 


>> Exfiltration of Data through a compromised Security Camera (that could first use the previous attack) 
https://www.youtube.com/watch?v=om5fNqkjj2M lnvidious] 


>> Communication from outsider to compromised Security Cameras through IR light signals: https://www.youtube.com/watch? 
v=auoY KSzdOj4 [invidious] 


Exfiltration of data from a compromised air-gapped computer through acoustic analysis of the FAN noises with a smartphone 
https://www.youtube.com/watch?v=v2_sZIfZkDQ !!nvidious] 


Exfiltration of data from a malware-infected air-gapped computer through HD LEDs with a Drone hitps://www.youtube.com/watch? 
v=4vlu8id68fc [invidious] 


=> dilite=1ile) ame) mer-it-Mixelaal-MOle) = anl-l\"\c-1c-Me)alr-labr-llccer-|6)el-10 meve)an|el0i«-1mmialcel0(e|am-y(-Lellne)aat-\elaliilem |altcvacciasya lexis 
https://www.youtube.com/watch?v=E28V1t-k8Hk [!nvidious] 


=> ailitee1ile) ame) mer- it~ Mixe)aamr- pare lh r= lanai ayi>\e1(>1e Ml 1B) Bel ahv{-mualaelule] ameve)V.-) nar; (ere lUl-1om ale)is{- Malis Ol M/ANANVAWAYOlU](0] o\-mere) sala r-1\ela leg 
v=H7IQXmSLiP8 [invidious] 


=> Ailite-\ile)amelmer-\r- Wm ialaelele/ametel\Y/ Mix-re[6[—alel (1M ice) anmr-Wmeve)an) ©)celaniicx-com Qui 1Uamanr<liWccle-) Mallee [=1e)el-cemereanleeiiais 
https://www.youtube.com/watch?v=RChj7Mg3rC4 lnvidious] 


=> ailitea1ile) ame) mer-lt-ialnele(e]am=)(Ye1lce)aat-le]ai>i(lem=vaaliss-)(@)a smi ce) ag ie=Mexe)an] 6) xe)pa)tsx-ve mm BJs) 6) F- hme (oNV/(e- alas OMAN AWAWAYO1U1(0] ol-Mere) gaya) coltelaleg 
V=20zTWIGI1rM&t=20s [!vidious] 


=p dilitee1ile) ame) mer-lt-Mialnelele|amantalelal-)i(om'c-hictomi ke) an mr- mexe)ag|e)xe)aalisy-\o ml] exer-] 0) el-(emexe)an|0]0)¢-/mcom- Ms) aar-/ase)ale)al-m-)(0)c-10Mlatc)(e(- i-Mate e-ler- NY, 
bag https:/www.youtube.com/watch?v=yz8E5n1 Tzlo lnvidious] 


Communication between two compromised air-gapped computers using ultrasonic soundwaves https://www.youtube.com/watch? 
v=yz8E5n1Tzlo Hnvidious] 


Exfiltration of Bitcoin Wallet from a compromised air-gapped computer to a smartphone https://www.youtube.com/watch? 
v=2WtiHZNeveY l!nvidious] 


=> ¢ilit=1i(e) ame) im DE-1k- Mm ine)pam-mexe)an] ©) xe) anlis-r0 mal aner-]6)el-10 meve) an) el0|«-1 mm Ul-11 ale mell<)e)F- Nyame) a(e]aieal=sstoM all OPV AW ANA) AYOL0 100] 01> mere) a nyA\r<ltei alts 
v=ZrkZUO2g4DE [Invidious] 


Exfiltration of Data from a compromised air-gapped computer through vibrations https://www.youtube.com/watch? 
V=XGD343nq1dg [Invidious] 


=> ailite=1i(e) ame) im BY-1r- Mm ine)aamr-mexe)pn] eae) anlisi-xe mr=l| ener-]6)el-re mere) pal el0l(-)me\VmiOlealiare Mm nvav\/ Minicom: MAcs mm ve aac) s 
https://www.youtube.com/watch?v=vhNncOIn63c l!nvidious] 
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Publication with demonstration: http://wallcamera.csail.mit.edu/ Archive.org] 
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>> Observing a reflective bag of snacks in a room from a distance to reconstruct the entire room«**. Publication with photographic 


examples: https://arxiv.org/abs/2001 .04642 [Archive.org] 


= Pam \V/(>X-1-10] a1 ale mi(ole)mavd|e)r=1i(0) arom comm (e(>/aliiavamlaceihv(el6r=l (cm-l ale mel=ic-laaalialsmaal-)/marcy-livamee)alelis(e)am-lale| mood2?°. Publication with 
demonstration: https://engineering.cmu.edu/news-events/news/2020/02/17-mauraders-map.html [Archive.org] 
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>> Observing a light bulb from a distance to listen to the sound in the room 24 without any malware: Demonstration: 


https://www.youtube.com/watch?v=t32QvpfOHqw !!nvidious] it should be noted that this type of attack is not new at all and there 
have been articles about such techniques as far back as 20132°° and that you can even buy devices to perform this yourself such 
as here: http://www.gcomtech.com/ccp0-prodshow/laser-surveillance-laser-listening.html [Archive.org] 


Here is also a good video from the same authors to explain those topics: Black Hat, The Air-Gap Jumpers https://www.youtube.com/watch? 
v=YKRtFgunyj4 [nvidious] 


Realistically, this guide will be of little help against such adversaries as such malware could be implanted on the devices by a 
manufacturer, anyone in the middle2”°, or LoMVar-Tanvcedac-Mm ion ol anvc-dier-] Mr: (exex:t-t-M com dal: M-l[aeey-]e)el-cemexelag)olUii-) mm olelmial-VacM-la-M-jal 1 m-Ye)ai-MC hYA) 
to mitigate such techniques: 


>> Do not conduct sensitive activity while connected to an untrusted/unsecured power line to prevent power line leaks. 
>> Do not use your devices in front of a camera that could be compromised. 

>> Use your devices in a soundproofed room to prevent sound leaks. 

=> Use your devices in a Faraday cage to prevent electromagnetic leaks. 

>> Do not talk about sensitive information where lightbulbs could be seen from outside. 


>> Buy your devices from different/unpredictable/offline places (shops) where the probability of them being infected with such malware is 
lower. 


>> Do not let anyone access your air-gapped computers except trusted people. 
Some bonus resources: 


>> Have a look at the Whonix Documentation concerning Data Collection techniques here: 
https://www.whonix.org/wiki/Data_Collection_ Techniques [A'chive.org] 


>> You might also enjoy looking at this service https://tosdr.org/ !A'h've-0rg] (Terms of Services, Didn’t Read) that will give you a good 
overview of the various ToS of many services. 


>> Have a look at https://www.eff.org/issues/privacy !4'chive.orgl for some more resources. 


>> Have a look at https://en.wikipedia.org/wiki/List_of_government_mass_surveillance_projects [Wikiless] [Archive.org] tg have an overview of 
all Known mass-surveillance projects, current, and past. 


>> Have a look at https://www.gwern.net/Death-Note-Anonymity A'chive-org] (even if you don’t know about Death Note). 
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more about recent OSINT techniques) https://inteltechniques.com/book1.html 


>> Finally, check https://www.freehaven.net/anonbib/date.html !’chive.org] for the latest academic papers related to Online Anonymity. 
Notes: 


If you still do not think such information can be used by various actors to track you, you can see some statistics for yourself for some 
fo) Feluce)aaatsw- lace .¢=1:) eM lamanlialemalelsyom-ln-me)a) \ar-(ecerolblaltiaremcolmealoMl-\iUi0)mer-lt-Ma-lo]0(-t-]ecmr-1a(0MN71| male) merolUlalm ial /aletcM ll (oi ea nd toy)" MMV [Ol] O10) Na esl O] a ql) 
or XKEYSCORE explained earlier: 


>> Google Transparency Report https://transparencyreport.google.com/user-data/overview [A'chive.org] 
>> Facebook Transparency Report https://transparency.facebook.com/ !Archive.org] 

>> Apple Transparency Report https://www.apple.com/legal/transparency/ [Archive.org] 

>> Cloudflare Transparency Report https://www.cloudflare.com/transparency/ [Archive.org] 

>> Snapchat Transparency Report https://www.snap.com/en-US/privacy/transparency [Archive.org] 
>> Telegram Transparency Report https://t.me/transparency 4'Cn've.o'g] (requires telegram installed) 


>> Microsoft Transparency Report https://www.microsoft.com/en-us/corporate-responsibility/law-enforcement-requests-report Archive.org] 


>> Amazon Transparency Report https://www.amazon.com/gp/help/customer/display.html?nodeld=GY SDRGWQ2C2CRYEF [Archive.org] 





>> Dropbox Transparency Report https://www.dropbox.com/transparency [Archive.org] 

>> Discord Transparency Report https://blog.discord.com/discord-transparency-report-jan-june-2020-2ef4a3ee346d [Archive.org] 
>> GitHub Transparency Report https://github.blog/2021-02-25-2020-transparency-report/ [Archive.org] 

>> Snapchat Transparency Report https://www.snap.com/en-US/privacy/transparency/ [Archive.org] 

>> TikTok Transparency Report https://www.tiktok.com/safety/resources/transparency-report?lang=en [Archive.org] 

>> Reddit Transparency Report https://www.reddit.com/wiki/transparency [Archive.org] 


>> Twitter Transparency Report https://transparency.twitter.com/ [Archive.org] 
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Personally, in the context of this guide, it is also interesting to have a look at your security model. And in this context, | only have one to 
recommend: 


Zero- Trust Security7© (“Never trust, always verify”). 
Here are some various resources about what Zero-Trust Security is: 


>> DEFCON, Zero Trust a Vision for Securing Cloud, https://www.youtube.com/watch?v=euSsqXO53Gy l!nvidious] 


>> From the NSA themselves, Embracing a Zero Trust Security Model, 


https://media.defense.gov/2021/Feb/25/2002588479/-1/-1/0/CSI EMBRACING_ZT_ SECURITY MODEL UOO115131-21.PDF 
TaKeali-melce) 


Picking your route: 


First, here is a small basic UML diagram showing your available options according to your skills/budget/time/resources. 





Timing limitations: 


>> You have no time at all: 
>> Go for the Tor Browser route. 
>> You have extremely limited time to learn and need a fast-working solution: 
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>> Go with any route. 


Budget/Material limitations: 


>> You have no budget and even accessing a laptop is complicated or you only have your smartphone: 
>> Go for the Tor Browser route. 


= mm (000) al \Vm al=\Vi-me) al-Ml-]e)(e) om-\\c-lit-1e)(>mr-lalemer=lalalelmr-1ice)cemr-lanvaial|alem=yicy- mmm COlUMUIS(-mia liom l-]e)e)om(e)mt-yinal-) mela @mir-]anli Nm) @nY(elU] mm Ol-e-10)ar- |e) (0) (0) 
both): 


mpm Colt) am ol:\-) me) oli (eam (-mcome (om io) min: ME-Ti-Maeleli-m 
>> You can afford a spare dedicated unsupervised/unmonitored laptop for your sensitive activities: 

>> But it is old, slow, and has bad specs (less than 6GB of RAM, less than 250GB disk space, old/slow CPU): 
mm (olUR-Jalolel(ome (om colmiil-Mr-liMaeelelice 

>> It is not that old, and it has decent specs (at least 6GB of RAM, 250GB of disk space or more, decent CPU): 
mmm (ole mexoll(omelom ce) am r-li mm uualelalh@neleii-t-e 

>> It is new and it has great specs (more than 8GB of RAM, >250GB of disk space, recent fast CPU): 
mmm ColUMerolUl(ome(omiolm-la\/macclelc-mmolelmm olel(oma-verolialait-Vareme@lelol-\-MOl- Mim (elelmanlar-lmutcele-1mr-lice\W am 

>> If it is an ARM-based M1 Mac: 
mmm (om oces-s-J] eo) (“Melb aa-Jalih ance) Mm dal:t-\-M c-t- 11°) ae 


>> Virtualization of x86 images on ARM M1 Macs is still limited to commercial software (Parallels) which is not 
JU] eo) okeyac:tom oa uatealp @ts-1m 


>> Virtualbox is not available for ARM architecture yet. 
>> Whonix is not supported on ARM architecture yet. 
om F-1| (Male) me -J0) eo) olelac:(omelam-\adUm-lcevalicc(eqielecM:)m 

>> Qubes OS is not supported on ARM architecture yet. 
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Skills: 


==> Do you have no IT skills at all the content of this guide look like an alien language to you? Consider: 
>> The Tor Browser route (simplest of all) 
mB al- Me E-licmcoleicM(-> Col [Ulellale Maat-m el:)e-J(-Jcclalme)(-lercyiol(-mel:lalt-Veli ii avm-y-feqi le) a) m 
>> You have some IT skills and mostly understand this guide so far, consider: 
meme Malo E-licMcolelc Mai iaa Mm dac-Me) oj ilelar-lmel-Je-J-jc-Jalme)r-lettiel(-mel-Jalt-leliliavmcy-(eqilelal 
>> The Whonix route. 
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>> You are an |33T hacker, “there is no spoon’, “the cake is a lie”, you have been using “doas’” for years, and “all your base is belong to 
us”, and you have strong opinions on systemd. 
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Now that you know what is possible, you should also consider threats and adversaries before picking the right route. 


Threats: 


>> If your main concern is a forensic examination of your devices, you should consider: 
>> The Tor Browser route. 
=> The Tails route. 
>> If your main concerns are remote adversaries that might uncover your online identity in various platforms, you should consider: 


>> The Tails route. 
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>> If you want system-wide plausible deniability22”’29° despite the risks , consider: 


>> The Tails Route including the persistent plausible deniability section (see Persistent Plausible Deniability using Whonix 
within Tails). 
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>> If you are in a hostile environment where Tor/VPN usage alone is impossible/dangerous/suspicious, consider: 
>> The Tails route (without actually using Tor). 
>> The Whonix route (without using Whonix). 
>> The Qubes OS route (without actually using Whonix). 
Adversaries: 
>> Low skills: 
>> Low resources: 
>> Any motivation: Any Route 
>> Medium resources: 
>> Low to Medium motivation: Any Route 
>> High motivation: TAILS, Whonix, Qubes OS Routes 
>> High resources: 
==> Low motivation: Any route 
>> Medium to High motivation: TAILS, Whonix, Qubes OS Routes 
>> Intermediate skills: 
>> Low resources: 
>> Low motivation: Any Route 
==> Medium to High motivation: TAILS, Whonix, Qubes OS Routes 
=> Medium resources: 
>> Low motivation: Any Route 
>> Medium to High motivation: TAILS, Whonix, Qubes OS Routes 
==> High resources: 
>> Low to High motivation: TAILS, Whonix, Qubes OS Routes 
>> Highly skilled: 
>> Low resources: 
>> Low motivation: Any Route 
>> Medium to High motivation: TAILS, Whonix, Qubes OS Routes 
=> Medium resources: 
>> Low to High motivation: TAILS, Whonix, Qubes OS Routes 
>> High resources: 
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global adversary) 


In all cases, you should read these two pages from the Whonix documentation that will give you in-depth insight into your choices: 
>> https://www.whonix.org/wiki/Warning Archive.org] 
>> https://www.whonix.org/wiki/Dev/Threat_Model [Archive.org] 
>> https://www.whonix.org/wiki/Comparison_with_Others [A'chive.org] 
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>> First read more about it at the EFF here: https://ssd.eff.org/en/module/understanding-and-circumventing-network-censorship [Archive.org] 





>> Check some data yourself here on the Tor Project ole)\\ ha f 


https://explorer.ooni.org/ 


Open Observatory of Network Interference) website: 


>> Have a look at https://censoredplanet.org/ and see if they have data about your country. 
>> Specific to China, look at https://gfwatch.org/ and https://www.usenix.org/system/files/sec21-hoang.pdf [Archive.org] 


>> Test for yourself using OONI (this can be risky in a hostile environment). 
Steps for all routes: 


Getting used to using better passwords: 


See Appendix A2: Guidelines for passwords and passphrases. 


Getting an anonymous Phone number: 
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Physical Burner Phone and prepaid SIM card: 
GET A BURNER PHONE: 


This is rather easy. Leave your smartphone on and at home. Have some cash and go to some random flea market or small shop (ideally one 
WZitalol0| a Ox Om MVaalal<j(e(>mo) molUit-}(e(-M-laleMN/all(om=N'Ze)(el/alem o>] are me) are)colere-|e)al-vornilant=xep mr-lale [Urs] m el0hymtal-me1al-y-]6\-1>] me) ale)al>m\el0mer- lp mila my Vitamer-l-jam-lare 
Vit arelUlm e)xevi(el/alemr=lahvay eX=)esxe) ar=] miaice)saat=1s(e)amm | me)alhaal=ioVe lm Com el- Ml alVels dale me)nel-)m 


YAW To} (<M =X0[-146/] 410M YZ0)0 1M 150-141 mo) ele)g1-vam Ba\=m Oe) [ al me)mn(=r- hvdlale MrZol0 | am-)aat-lase)ale)al-Me) aM ismiemerg-r-1(-m-\'Ze)(eM (-t-1,4/alemialcmr-\eimial-lMyelOMeoMalelmulsyialemiar=) 
device. If a smartphone is turned off, this creates a metadata trail that can be used to correlate the time your smartphone was turned off with 
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metadata trail further. This will not make it impossible to correlate your inactivity, but may make it more difficult if your phone’s usage patterns 
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phones-sold-in-russia/ [A'ch've.org] 
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that will easily lead to you). This might seem like a big burden, but it is not as these phones are only being used during the setup/sign-up 
process and for verification from time to time. 


See Appendix N: Warning about smartphones and smart devices 


You should test that the phone is in working order before going to the next step. But | will repeat myself and state that it is important to leave 
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cannot be tracked back to you (and again, do not do that in front of a CCTV, avoid cameras, be aware of your surroundings). No need for Wi- 
Fi at this place either. 


When you are certain the phone is in working order, disable Bluetooth then power it off (remove the battery if you can) and go back home and 
resume your normal activities. Go to the next step. 


GETTING AN ANONYMOUS PRE-PAID SIM CARD: 


This is the hardest part of the whole guide. It is a SPOF (Single Point of Failure). The places where you can still buy prepaid SIM cards 
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So here is a list of places where you can still get them now: https://prepaid-data-sim- 


card.fandom.com/wiki/Registration_Policies_Per Country [Archive.org] 


You should be able to find a place that is “not too far” and just go there physically to buy some pre-paid cards and top-up vouchers with cash. 
Do verify that no law was passed before going that would make registration mandatory (in case the above wiki was not updated). Try to avoid 
CCTV and cameras and do not forget to buy a Top-Up voucher with the SIM card (if it is not a package) as most pre-paid cards will require a 
top-up before use. 


See Appendix N: Warning about smartphones and smart devices 


Double-check that the mobile operators selling the pre-paid SIM cards will accept the SIM activation and top-up without any ID registration of 
any kind before going there. Ideally, they should accept SIM activation and top-up from the country you live in. 
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to change your number up to two times from their website. One GiffGaff prepaid SIM card will therefore grant you three numbers to use for 
your needs. 





Power off the phone after activation/top-up and before going home. Do not ever power it on again unless you are not at a place that can be 
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Online Phone Number: 
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There are many commercial services offering numbers to receive SMS messages online but most of those have no anonymity/privacy and 
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There are some forums and subreddits (like r/ohoneverification/) where users will offer the service of receiving such SMS messages for you 
for a small fee (using PayPal or some crypto payment). Unfortunately, these are full of scammers and very risky in terms of anonymity. You 
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To this date, | do not know any reputable service that would offer this service and accept cash payments (by post for instance) like some VPN 
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>> Recommended: Do not require any identification (even e-mail): 
>> (Iceland based, accepts Monero) https://crypton.sh !7r Mirror] [Archive.org] 
>> (Ukraine based, accepts Monero) https://virtualsim.net/ Archive.org] 

>> Do require identification (valid e-mail): 
>> (US California based, accepts Monero) https://mobilesms.io Archive.org] 
>> (Germany based, accepts Monero) https://www.sms77.io/ Archive.org] 
>> (Russia based, accepts Monero) https://onlinesim.ru/ Archive.org] 


There are some other possibilities listed here https://cryptwerk.com/companies/sms/xmr/ [Archive.org] Use at your own risk. 


Now, what if you have no money? Well, in that case, you will have to try your luck with free services and hope for the best. Here are some 
examples, use at your own risk: 


>> https://oksms.org 
>> https://smspva.com 
>> https://sms24.me 
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using your real identity. Please do read Appendix B2: Monero Disclaimer. 


Therefore IMHO, it is just more convenient, cheaper, and less risky to just get a pre-paid SIM card from one of the physical places that still 
sell them for cash without requiring ID registration. But at least there is an alternative if you have no other choice. 


Get a USB key: 
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Get at least one or two decent size generic USB keys (at least 16GB but | would recommend 32GB). 


Please do not buy or use gimmicky self-encrypting devices such as these: https://syscall.eu/blog/2018/03/12/aigo_part1/ Archive.org] 


Some might be very efficient?°? but aatclanvarcla=melianlanl(e.q¥are[=(elel=1ecmlar-lMelii=m ale masts] protection? 


Find some safe places with decent public wWi-F1: 


You need to find safe places where you will be able to do your sensitive activities using some publicly accessible Wi-Fi (without any 
account/ID registration, avoid CCTVs). 


This can be anywhere that will not be tied to you directly (your home/work) and where you can use the Wi-Fi for a while without being 
bothered. But also, a place where you can do this without being “noticed” by anyone. 


If you think Starbucks is a clever idea, you may reconsider: 
>> They probably have CCTVs in all their shops and keep those recordings for an unknown amount of time. 


>> You will need to buy a coffee to get the Wi-Fi access code in most. If you pay for this coffee with an electronic method, they will be able 
to tie your Wi-Fi access with your identity. 





Situational awareness is key, and you should be constantly aware of your surroundings and avoid touristy places like it was plagued by 
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travel pictures on their Instagram. If you do, remember chances are high that those pictures will end up online (publicly or privately) with full 
metadata attached to them (time/date/geolocation) and your face. Remember these can and will be indexed by 
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You will ideally need a set of 3-5 separate places such as this to avoid using the same place twice. Several trips will be needed over the 
weeks for the various steps in this guide. 


You could also consider connecting to these places from a safe distance for added security. See Appendix Q: Using long-range Antenna to 
connect to Public Wi-Fis from a safe distance. 


The Tor Browser route: 


This part of the guide will help you in setting up the simplest and easiest way to browse the web anonymously. It is not necessarily the best 
method and there are more advanced methods below with (much) better security and (much) better mitigations against various adversaries. 
Yet, this is a straightforward way of accessing resources anonymously and quickly with no budget, no time, no skills, and limited usage. 


So, what is Tor Browser? Tor Browser (https://www.torproject.org/ A'ch've.orgl) js a web browser like Safari/Firefox/Chrome/Edge/Brave 
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This browser is different from other browsers as it will connect to the internet through the Tor Network using Onion Routing. | first recommend 


that you watch this very nice introduction video by the Tor Project themselves: https://www.youtube.com/watch?v=JWII85UIzZKw [Invidious] 
After that, you should probably head over to their page to read their quick overview here: 


https://2019.www.torproject.org/about/overview.html.en [Archive.org]_ Without going into too many technical details, Tor Browser is an easy and 
simple “fire and forget” solution to browse the web anonymously from pretty much any device. It is probably sufficient for most people and 
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Here are several ways to set it up for all main OSes. 


Windows, Linux, and macoOs: 


Please see Appendix Y: Installing and using desktop Tor Browser. 


Android: 


>> Head over to: 
>> Play Store: https://play.google.com/store/apps/details?id=org.torproject.torbrowser 
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>> Install 

>> Launch Tor Browser 

>> After Launching, click the upper right Settings icon 
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>> If needed (after reading the appendix above), activate the option and select the type of bridge you want: 
>> Obfs4 
==> Meek-Azure 
>> Snowflake 


Personally, if you need to use a Bridge (this is not necessary for a non-hostile environment), you should pick a Meek-Azure. Those will 
probably work even if you are in China and want to bypass the Great Firewall. It is probably the best option to obfuscate your Tor activities if 
needed and Microsoft servers are usually not blocked. 


>> You are almost done 


As with the desktop version, you need to know there are safety levels in Tor Browser. On Android, you can access these by following these 
steps: 
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>> Click Settings 
==> Head over to the Privacy and security section 


>> Click Security Settings 


You will find details about each level here: https://tb-manual.torproject.org/security-settings/ A'e've-ora! but here is a summary: 





>> Standard (the default): 

>> All features are enabled (including JavaScript) 
>> Safer: 

>> JavaScript is disabled on non-HTTPS websites 

==> Some fonts and symbols are disabled 

>> Any media playback is “click to play” (disabled by default) 
>> Safest: 

>> Javascript is disabled everywhere 

>> Some fonts and symbols are disabled 

>> Any media playback is “click to play” (disabled by default) 


| would recommend the “Safer” level for most cases. The Safest level should only be enabled if you think you are accessing suspicious or 
dangerous websites or if you are extra paranoid. 


However, the Safer level should be used with some extra precautions while using some websites: see Appendix A5: Additional browser 
precautions with JavaScript enabled. 


Now, you are really done, and you can now surf the web anonymously from your Android device. 
10S: 


While the official Tor Browser is not yet available for iOS, there is an alternative called Onion Browser endorsed by the Tor Project?°°. 


>> Head over to https://apps.apple.com/us/app/onion-browser/id519296448 
>> Install 

>> Disable Wi-Fi and Mobile Data 

>> Launch Onion Browser 


>> After Launching, click the upper right Settings icon (Disabling Wi-Fi and Mobile Data previously were to prevent Onion Browser from 
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>> Select “Bridge Configuration” and read Appendix X: Using Tor bridges in hostile environments 

>> If needed (after reading the appendix above), activate the option and select the type of bridge you want: 
a @) 0) icv. 
>> Snowflake 
>> (Meek-Azure is unfortunately not available on Onion Browser for iOS for some reason) 


Personally, if you need to use a Bridge (this is not necessary for a non-hostile environment), you should pick a Snowflake one (since Meek- 
Azure bridges are not available). Those will probably work even if you are in China and want to bypass the Great Firewall. It is probably the 
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>> You are almost done 


As with the desktop version, you need to know there are safety levels in Onion Browser. On iOS, you can access these by following these 
steps: 
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==> You will have three levels to pick from 
>> >> Gold: Ideal if you are suspicious, paranoid, or accessing what you think are dangerous resources. 

=> JavaScript is disabled 
>> WebSockets, Geolocation, and XHR are disabled 
=> No Video or Audio 
>> Links cannot open Apps 
>> WebRTC is blocked 
=> Mixed HTTP/HTTPS is blocked 
==> Ads and Pop-Ups are blocked 


>> >> Silver: 





>> JavaScript partially allowed 
>> WebSockets, Geolocation, and XHR are disabled 
==> No Video or Audio 
>> Links cannot open Apps 
>> WebRTC is blocked 
>> Mixed HTTP/HTTPS is blocked 
>> Ads and Pop-Ups are blocked 
>> >> Bronze (not recommended): 
>> JavaScript allowed 
=> Audio and Video allowed 
== Links cannot open Apps 
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>> Mixed HTTP/HTTPS is not blocked 
==> Ads and Pop-Ups are blocked 


| would recommend the “Silver” level for most cases. The Gold level should only be enabled if you think you are accessing suspicious or 
dangerous websites or if you are extra paranoid. The Gold mode will also most likely break many websites that rely actively on JavaScript. 


As JavaScript is enabled in the Silver mode, please see Appendix A5: Additional browser precautions with JavaScript enabled. 
Now, you are really done, and you can now surf the web anonymously from your iOS device. 
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If you have time and want to learn, | recommend going for other routes instead as they offer far better security and mitigate far more risks 
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The Tails route: 
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>> You cannot afford a dedicated laptop 
>> Your dedicated laptop is just too old and too slow 
>> You have very low IT skills 
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Tails’~° stands for The Amnesic Incognito Live System. It is a bootable Live Operating System running from a USB key that is designed 
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As soon as you shut down the computer, everything will be gone unless you saved it somewhere. 


BE-lifSmiswr-l ame |pat=P4lavel \yaciee-1(e]aince)ayic-] Kem r- \yacome(-1mre(e)| ale mam alomiian-m\\ 70am Uar-imyelem ar \iomr-lale my ZivalolUlmanle (eam (ct-laallale mm imar-lom-).40>) alcyhVi> 
(ofeyerelant=yaic-lice)am-lalemieice)at= lice 


WARNING: Tails is not always up to date with their bundled software. And not always up to date with the Tor Browser updates 
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It does however have some drawbacks: 


>> Tails uses Tor and therefore you will be using Tor to access any resource on the internet. This alone will make you suspicious to most 
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>> Your ISP (whether it is yours or some public Wi-Fi) will also see that you are using Tor, and this could make you suspicious in itself. 


>> Tails does not include (natively) some of the software you might want to use later which will complicate things quite a bit if you want to 
run some specific things (Android Emulators for instance). 





>> Tails uses Tor Browser which while it is very secure will be detected as well by most platforms and will hinder you in creating 
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>> Tails will not protect you more from the 5$ wrench"?. 
>> Tor in itself might not be enough to protect you from an adversary with enough resources as explained earlier. 
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bypass (some) local restrictions on supervised computers. 
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https://tails.boum.org/doc/about/warnings/index.en.html [Archive.org] 


Taking all this into account and the fact that their documentation is great, | will just redirect you towards their well-made and well-maintained 
tutorial: 


https://tails.boum.org/install/index.en.html Archive.org] pick your flavor and proceed. 


If you’re having an issue accessing Tor due to censorship or other issues, you can try using Tor Bridges by following this Tails tutorial: 
https://tails.boum.org/doc/anonymous_internet/tor/index.en.html !Archive.org] and find more information about these on Tor Documentation 


https://2019.www.torproject.org/docs/bridges Archive.org] 
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Tor Browser settings on Tails: 


When using Tor Browser, you should click the little shield Icon (upper right, next to the Address bar) and select your Security level (see 
https://tb-manual.torproject.org/security-settings/ A"ch've.org] for details). Basically, there are three. 


>> Standard (the default): 

>> All features are enabled (including JavaScript) 
>> Safer: 

>> JavaScript is disabled on non-HTTPS websites 

>> Some fonts and symbols are disabled 

>> Any media playback is “click to play” (disabled by default) 
>> Safest: 

>> Javascript is disabled everywhere 

==> Some fonts and symbols are disabled 

>> Any media playback is “click to play” (disabled by default) 


| would recommend the “Safer” level for most cases. The Safest level should only be enabled if you think you are accessing suspicious or 
dangerous websites or if you are extra paranoid. The Safest mode will also most likely break many websites that rely actively on JavaScript. 


Lastly, while using Tor Browser on Tails on the “Safer” level, please consider Appendix A5: Additional browser precautions with JavaScript 
enabled 


When you are done and have a working Tails on your laptop, go to the Creating your anonymous online identities step much further in this 
guide or if you want persistence and plausible deniability, continue with the next section. 


Persistent Plausible Deniabi lity using whonix within Tails: 


Consider checking the https://github.com/aforensics/HiddenVM [4rchive.org] project for Tails. 
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(see The Whonix route: first chapters and also for some explanations about Plausible deniability, as well as the How to securely delete 
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TAILS Non-persistent Live Host OS 


Whonix Gateway VM 
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>> You could store persistent VMs within a secondary container that could be encrypted normally or using the Veracrypt plausible 
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>> You do benefit from the added Tor Stream Isolation feature (see Tor over VPN for more info about stream isolation). 


In that case, as the project outlines it, there should be no traces of any of your activities on your computer and the sensitive work could be 
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You only need 2 USB keys (one with Tails and one with a Veracrypt container containing persistent Whonix). The first USB key will appear to 
contain just Tails and the second USB will appear to contain just random garbage but will have a decoy volume which you can show for 
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You might also wonder if this will result in a “Tor over Tor” setup, but it will not. The Whonix VMs will be accessing the network directly through 
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In the future, this could also be supported by the Whonix project themselves as explained here: https:/Awww.whonix.org/wiki/Whonix-Host 


[Archive.org] but it is not yet recommended as of now for end-users. 


Remember that encryption with or without plausible deniability is not a silver bullet and will be of little use in case of torture. As a matter a 
fact, depending on who your adversary would be (your threat model), it might be wise not to use Veracrypt (formerly TrueCrypt) at all as 


shown in this demonstration: https://defuse.ca/truecrypt-plausible-deniability-useless-by-game-theory.htm [Archive.org] 


Plausible deniability is only effective against soft lawful adversaries that will not resort to physical means. 
See https://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis !V'kiless] [Archive.org] 
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consider storing such hidden VMs on an external SSD drive: 


>> Do not use hidden volumes on SSD drives as this is not supported/recommended by Veracrypt°”2. 
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First Run: 
>> Download the latest HiddenVM release from https://github.com/aforensics/HiddenVM/releases [A'chive.org] 
>> Download the latest Whonix XFCE release from https://www.whonix.org/wiki/VirtualBox/XFCE [Archive.org] 
>> Prepare a USB Key/Drive with Veracrypt 


==> Create a Hidden Volume on the USB/Key Drive (I would recommend at least 16GB for the hidden volume) 


>> In the Outer Volume, place some decoy files 





>> In the Hidden Volume, place the HiddenVM appimage file 
>> In the Hidden Volume, place the Whonix XFCE ova file 
=> Boot into Tails 
>> Setup the Keyboard layout as you want. 
>> Select Additional Settings and set an administrator (root) password (needed for installing HiddenVM) 
>> Start Tails 
>> Connect to a safe wi-fi (this is a required step for the rest to work) 
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>> Launch the HiddenVM appimage 
==> When prompted to select a folder, select the Root of the Hidden volume (where the Whonix OVA and HiddenVM app image files are). 
>> Let it do its thing (This will install Virtualbox within Tails with one click) 
>> When it is done, it should automatically start Virtualbox Manager. 
==> Import the Whonix OVA files (see Whonix Virtual Machines:) 


Note, if during the import you are having issues such as “NS_ERROR_INVALID ARG (0x80070057)”, this is probably because there is not 
enough disk space on your Hidden volume for Whonix. Whonix themselves recommend 32GB of free space but that’s probably not 
necessary and 10GB should be enough for a start. You can try working around this error by renaming the Whonix *.OVA file to *. TAR and 
decompressing it within Tails. When you are done with decompression, delete the OVA file and import the other files with the Import wizard. 
This time it might work. 


Subsequent Runs: 


>> Boot into Tails 

>> Connect to Wi-Fi 

>> Unlock your Hidden Volume 
>> Launch the HiddenVM App 


>> This should automatically open VirtualBox manager and show your earlier VMs from the first run 
Steps for all other routes: 


Get a dedicated laptop for your sensitive activities: 


Ideally, you should get a dedicated laptop that will not be tied to you in any effortless way (ideally paid with cash anonymously and using the 
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help you harden your laptop as much as possible to prevent data leaks through various means. There will be several lines of defense 
standing between your online identities and yourself that should prevent most adversaries from de-anonymizing you besides state/global 
actors with considerable resources. 


This laptop should ideally be a clean freshly installed Laptop (Running Windows, Linux, or macOS), clean of your normal day-to-day 
activities, and offline (never connected to the network yet). In the case of a Windows laptop, and if you used it before such a clean install, it 
should also not be activated (re-installed without a product key). Specifically, in the case of MacBooks, it should never have been tied to your 
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identifiers of the laptop while using it (MAC Address, Bluetooth Address, and Product key ...). But also, to avoid being tracked back if you 
need to dispose of the laptop. 


If you used this laptop before for different purposes (like your day-to-day activities), all its hardware identifiers are probably known and 
registered by Microsoft or Apple. If later any of those identifiers is compromised (by malware, telemetry, exploits, human errors ...) they could 
lead back to you. 
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Virtual Machines at the same time. It should have a working battery that lasts a few hours. 


This laptop could have an HDD (7200rpm) or an SSD/NVMe drive. Both possibilities have their benefits and issues that will be detailed later. 


All future online steps performed with this laptop should ideally be done from a safe network such as Public Wi-Fi in a safe place (see Find 
some safe places with decent public Wi-Fi). But several steps will have to be taken offline first. 


Some laptop recommendations: 
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This is because those business laptops usually offer better and more customizable security features (especially in the BIOS/UEFI settings) 
with longer support than most consumer laptops (Asus, MSI, Gigabyte, Acer...). The interesting features to look for are IMHO: 


>> Better custom Secure Boot settings (where you can selectively manage all the keys and not just use the Standard ones) 
>> HDD/SSD passwords in addition to just BIOS/UEFI passwords. 


>> AMD laptops could be more interesting as some provide the ability to disable AMD PSP (the AMD equivalent of Intel IME) from the 
BIOS/UEFI settings by default. And, because AFAIK, AMD PSP was audited and contrary to IME was not found to have any “evil” 


functionalities°°°. However, if you are going for the Qubes OS Route consider Intel CPUs as Qubes OS does not support AMD with 


their anti-evil-maid system?!9, 


>> Secure Wipe tools from the BIOS (especially useful for SSD/NVMe drives, see Appendix M: BIOS/UEFI options to wipe disks in various 
Brands). 


>> Better control over the disabling/enabling of select peripherals (USB ports, Wi-Fis, Bluetooth, Camera, Microphone ...). 
>> Better security features with Virtualization. 

>> Native anti-tampering protections. 

>> Longer support with BIOS/UEFI updates (and subsequent BIOS/UEFI security updates). 

==> Some are supported by Libreboot 


Bios/UEFLI/Firmware Settings of your laptop: 
i 


These settings can be accessed through the boot menu of your laptop. Here is a good tutorial from HP explaining all the ways to access the 


BIOS on various computers: https://store.hp.com/us/en/tech-takes/how-to-enter-bios-setup-windows-pcs [Archive.org] 
Usually how to access it is by pressing a specific key (F1, F2, or Del) at boot (before your OS). 
Once you are in there, you will need to apply a few recommended settings: 
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>> Disable Biometrics (fingerprint scanners) if you have any if you can. However, you could add a biometric additional check for booting 
only (pre-boot) but not for accessing the BIOS/UEFI settings. 
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>> Enable BIOS/UEFI password and use a long passphrase instead of a password (if you can) and make sure this password is required 
for: 


>> Accessing the BIOS/UEFI settings themselves 
>> Changing the Boot order 
>> Startup/Power-on of the device 


==> Enable HDD/SSD password if the feature is available. This feature will add another password on the HDD/SSD itself (not in the 
BIOS/UEFI firmware) that will prevent this HDD/SSD from being used in a different computer without the password. Note that this 
feature is also specific to some manufacturers and could require specific software to unlock this disk from a completely different 
computer. 


>> Prevent accessing the boot options (the boot order) without providing the BIOS/UEFI password if you can. 
>> Disable USB/HDMI or any other port (Ethernet, Firewire, SD card ...) if you can. 

>> Disable Intel ME if you can (odds are very high you can't). 

>> Disable AMD PSP if you can (AMD’s equivalent to IME, see Your CPU) 


>> Disable Secure Boot if you intend to use Qubes OS as they do not support it out of the box?" 


Linux/Windows. 


. Keep it on if you intend to use 
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Only enable those on a “need to use” basis and disable them again after use. This can help mitigate some attacks in case your laptop is 
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later in this guide). 
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So, what is Secure Boot‘? In short, it is a UEFI security feature designed to prevent your computer from booting an operating system from 
which the bootloader was not signed by specific keys stored in the UEFI firmware of your laptop. 


When the operating system (or the Bootloader?'*) supports it, you can store the keys of your bootloader in your UEFI firmware, and this will 
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Secure Boot settings are protected by the password you set up to access the BIOS/UEFI settings. If you have that password, you can disable 
Secure Boot and allow unsigned OSes to boot on your system. This can help mitigate some Evil-Maid attacks (explained later in this guide). 


In most cases, Secure Boot is disabled by default or is enabled but in “setup” mode which will allow any system to boot. For Secure Boot to 
work, your Operating System will have to support it and then sign its bootloader and push those signing keys to your UEFI firmware. After 
that, you will have to go to your BIOS/UEFI settings and save those pushed keys from your OS and change the Secure Boot from setup to 
user mode (or custom mode in some cases). 


After doing that step, only the Operating Systems from which your UEFI firmware can verify the integrity of the bootloader will be able to boot. 


Most laptops will have some default keys already stored in the secure boot settings. Usually, those are from the manufacturer itself or some 
companies such as Microsoft. So, this means that by default, it will always be possible to boot some USB disks even with secure boot. These 
include Windows, Fedora, Ubuntu, Mint, Debian, CentOS, OpenSUSE, Tails, Clonezilla, and many others. Secure Boot is however not 
supported at all by Qubes OS at this point. 


In some laptops, you can manage those keys and remove the ones you do not want with a “custom mode” to only authorize your bootloader 
that you could sign yourself if you want to. 
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What is Secure Boot not protecting you from? 


>> Secure Boot is not encrypting your disk and an adversary can still just remove the disk from your laptop and extract data from it using a 
different machine. Secure Boot is therefore useless without full disk encryption. 


>> Secure Boot is not protecting you from a signed bootloader that would be compromised and signed by the manufacturer itself (Microsoft 
for example in the case of Windows). Most mainstream Linux distributions are signed these days and will boot with Secure Boot 
enabled. 


>> Secure Boot can have flaws and exploits like any other system. If you are running an old laptop that does not benefit from new 
BIOS/UEFI updates, these can be left unfixed. 


Additionally, several attacks could be possible against Secure Boot as explained (in-depth) in these technical videos: 
>> Defcon 22, https://www.youtube.com/watch?v=QDS|IWa9xQuA !nvidious] 
>> BlackHat 2016, https://www.youtube.com/watch?v=OfZdL 3ufVO] !nvidious] 
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drive. It is an added layer but that is it. 
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Mac: 


Take a moment to set a firmware password according to the tutorial here: https://support.apple.com/en-au/HT 204455 [Archive.org] 


You should also enable firmware password reset protection (available from Catalina) according to the documentation here: 


https://support.apple.com/en-gb/guide/security/sec28382c9ca/web [Archive.org] 


This feature will mitigate the possibility for some adversaries to use hardware hacks to disable/bypass your firmware password. Note that this 
will also prevent Apple themselves from accessing the firmware in case of repair. 
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At some point, you will inevitably leave this laptop alone somewhere. You will not sleep with it and take it everywhere every single day. You 
should make it as hard as possible for anyone to tamper with it without you noticing it. This is mostly useful against some limited adversaries 


that will not use a 5$ wrench against you"’. 


It is important to know that it is trivially easy for some specialists to install a key logger in your laptop, or to just make a clone copy of your 
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Here is a good cheap method to make your laptop tamper-proof using Nail Polish (with glitter) https://mullvad.net/en/help/how-tamper- 
protect-laptop/ Archive.org] 314 (with pictures). 


While this is a good cheap method, it could also raise suspicions as it is quite “noticeable” and might just reveal that you “have something to 
hide”. So, there are more subtle ways of achieving the same result. You could also for instance make a close-up macro photography of the 
back screws of your laptop or just use a small amount of candle wax within one of the screws that could just look like usual dirt. You could 
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adversary was not careful enough (Tightening them exactly the same way they were before). Or the wax within the bottom of a screw head 
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damaged by inserting a USB key in it. 
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The whonix route: 
Picking your Host OS (the OS installed on your laptop): 


This route will make extensive use of Virtual Machines®'°, they will require a host OS to run the Virtualization software. You have three 
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>> Windows 10 (preferably Home edition due to the absence of Bitlocker) 
>> Windows 11 is not yet supported yet by this guide 

>> macOS (Catalina or higher up to Monterey) 
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its unique hardware identifiers could lead back to you in case of hardware identifiers leak. 


Linux is also not necessarily the best choice for anonymity depending on your threat model. This is because using Windows will allow us to 
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conveniently use Plausible Deniability aka Deniable Encryption? "°) easily at the OS level. Windows is also unfortunately at the same 


time a privacy nightmare?!” but is the only easy to set up option for using OS-wide plausible deniability. Windows telemetry and telemetry 
blocking are also widely documented which should mitigate many issues. 


So, what is Plausible Deniability? You can cooperate with an adversary requesting access to your device/data without revealing your true 


secret. All this using Deniable Encryption? 


A soft lawful adversary could ask for your encrypted laptop password. At first, you could refuse to give out any password (using your “right to 
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remain silent”, “right not to incriminate yourself’) but some countries are implementing laws®'®’?19 to exempt this from such rights (because 
terrorists and “think of the children”). In that case, you might have to reveal the password or face jail time in contempt of court. This is where 
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You could then reveal a password, but that password will only give access to “plausible data” (a decoy OS). The forensics will be well aware 
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(similar to a zip file) where different files will be shown depending on the encryption password you use. 


This also means you could set up your own advanced “plausible deniability” setup using any Host OS by storing for instance Virtual Machines 
on a Veracrypt hidden volume container (be careful of traces in the Host OS tho that would need to be cleaned if the host OS is persistent, 
see Some additional measures against forensics section later). There is a project for achieving this within Tails 
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Tails. 


In the case of Windows, plausible deniability is also the reason you should ideally have Windows 10 Home (and not Pro). This is because 
Windows 10 Pro natively offers a full-disk encryption system (Bitlocker?2°) where Windows 10 Home offers no full-disk encryption at all. We 
will later use third-party open-source software for encryption that will allow full-disk encryption on Windows 10 Home. This will give you a 
good (plausible) excuse to use this software. While using this software on Windows 10 Pro would be suspicious. 





Note about Linux: So, what about Linux and plausible deniability? Yes, it is possible to achieve plausible deniability with Linux too. More 
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Unfortunately, encryption is not magic and there are some risks involved: 
Threats with encryption: 
THE 5$ WRENCH: 


Remember that encryption with or without plausible deniability is not a silver bullet and will be of little use in case of torture. As a matter a 
fact, depending on who your adversary would be (your threat model), it might be wise not to use Veracrypt (formerly TrueCrypt) at all as 


shown in this demonstration: https://defuse.ca/truecrypt-plausible-deniability-useless-by-game-theory.htm [Archive.org] 


Plausible deniability is only effective against soft lawful adversaries that will not resort to physical means. Avoid, if possible, the use of 
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See https://en.wikipedia.org/wiki/Rubber-hose_ cryptanalysis 'kiless] [Archive.org] 


EVIL-MAID ATTACK: 


EVI MAV Fell Nt C= e) <cpercaumr=1-Mevo alo U(ex=Vo MN al-lalsxelaal-Velat= tampers with your laptop while you are away. To install to clone your hard drive, install 
malware or a key logger. If they can clone your hard drive, they can compare one image of your hard drive at the time they took it while you 
were away with the hard drive when they seize it from you. If you used the laptop again in between, forensics examiners might be able to 
prove the existence of the hidden data by looking at the variations between the two images in what should be an empty/unused space. This 
could lead to compelling evidence of the existence of hidden data. If they install a key logger or malware within your laptop (software or 
hardware), they will be able to simply get the password from you for later use when they seize it. Such attacks can be done at your home, 
your hotel, a border crossing, or anywhere you leave your devices unattended. 
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>> Have basic tamper protection (as explained previously) to prevent physical access to the internals of the laptop without your knowing. 
This will prevent them from cloning your disks and installing a physical key logger without your knowledge. 


>> Disable all the USB ports (as explained previously) within a password-protected BIOS/UEFI. Again, they will not be able to turn them on 
(without physically accessing the motherboard to reset the BIOS) to boot a USB device that could clone your hard drive or install a 
software-based malware that could act as a key logger. 


>> Set up BIOS/UEFI/Firmware passwords to prevent any unauthorized boot of an unauthorized device. 


>> Some OSes and Encryption software have anti-EvilMaid protection that can be enabled. This is the case with Windows/Veracrypt and 
QubeOS. 


COLD-BOOT ATTACK: 


Cold Boot attacks*? are trickier than the Evil Maid Attack but can be part of an Evil Maid attack as it requires an adversary to come into 
possession of your laptop while you are actively using your device or shortly afterward. 


The idea is rather simple, as shown in this video??? 
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need more time, they could open it and “cool down” the memory using a spray or other chemicals (liquid nitrogen for instance) preventing the 


, an adversary could theoretically quickly boot your device on a special USB key that 
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device. We will later apply a few principles to mitigate these. 


In the case of Plausible Deniability, there have been some forensics studies?2* 
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a simple forensic examination (without a Cold Boot/Evil Maid Attack) but these have been contested by other studies°° and by the 
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The same measures used to mitigate Evil Maid attacks should be in place for Cold Boot attacks with some added ones: 


>> If your OS or Encryption software allows it, you should consider encrypting the keys within RAM too (this is possible with 


Windows/Veracrypt and will be explained later). Again see https://sourceforge.net/p/veracrypt/discussion/technical/thread/3961542951/ 
PaKeali=melce) 


>> Do enable the option to Wipe keys from memory if a device is inserted in Veracrypt. 


=> You should limit the use of Sleep stand-by and instead use Shutdown or Hibernate to prevent the encryption keys from staying in RAM 


when your computer goes to sleep. This is because sleep will maintain power in your memory for resuming your activity faster. Only 


hibernation and shutdown will actually clear the key from the memory?2/. 


See also https://www.whonix.org/wiki/Cold_Boot_Attack Defense [A’chve.org] ang 
https://www.whonix.org/wiki/Protection_Against_Physical_ Attacks [Archive.org] 


Here are also some interesting tools to consider for Linux users to defend against these: 


>> https://github.com/OxPoly/Centry A'chive.org] (unfortunately unmaintained it seems so | made a fork and pull request updating for 
Veracrypt https://github.com/AnonymousPlanet/Centry !A'chive-org] which should still work) 





>> https://github.com/hephaest0s/usbkill A""ve-org] (unfortunately unmaintained as well it seems) 
>> https://github.com/Lvl4Sword/Killer Archive.org] 
>> https://askubuntu.com/questions/153245/how-to-wipe-ram-on-shutdown-prevent-cold-boot-attacks [Archive.org] 
>> (Qubes OS, Intel CPU only) https://github.com/QubesOS/qubes-antievilmaid A'cnive.org] 
ABOUT SLEEP, HIBERNATION, AND SHUTDOWN: 


If you want better security, you should shut down your laptop completely every time you leave it unattended or close the lid. This should clean 
and/or release the RAM and provide mitigations against cold boot attacks. However, this can be a bit inconvenient as you will have to reboot 
completely and type in a ton of passwords into various apps. Restart various VMs and other apps. So instead, you could also use hibernation 
(not supported on Qubes OS). Since the whole disk is encrypted, hibernation in itself should not pose a large security risk but will still shut 
down your laptop and clear the memory while allowing you to conveniently resume your work afterward. What you should never do is 
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every time. 


LOCAL DATA LEAKS (TRACES) AND FORENSICS EXAMINATION: 


As mentioned briefly earlier, these are data leaks and traces from your operating system and apps when you perform any activity on your 
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“important” if your whole OS is encrypted (if you are not compelled to reveal the password). 


Let us say for example you have a Veracrypt encrypted USB key with plausible deniability enabled. Depending on the password you use 
when mounting the USB key, it will open a decoy folder or the sensitive folder. Within those folders, you will have decoy documents/data 
within the decoy folder and sensitive documents/data within the sensitive folder. 


In all cases, you will (most likely) open these folders with Windows Explorer, macOS Finder, or any other utility and do whatever you planned 
to do. Maybe you will edit a document within the sensitive folder. Maybe you will search for a document within the folder. Maybe you will 
delete one or watch a sensitive video using VLC. 
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folder/files/drives, the time those were accessed, temporary caches of those files, the “recent” lists in each app, the file indexing system that 
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Here are some examples of such leaks: 
WINDOWS: 


>> Windows ShellBags that are stored within the Windows Registry silently storing various histories of accessed volumes/files/folders®2°. 


>> Windows Indexing keeping traces of the files present in your user folder by default?29. 


>> Recent lists (aka Jump Lists) in Windows and various apps keeping traces of recently accessed documents?” 


==> Many more traces in various logs, please see this convenient interesting poster for more insight: https://www.sans.org/security- 
resources/posters/windows-forensic-analysis/170/download [Archive.org] 


MACOS : 
>> Gatekeeper?*' and XProtect keeping track of your download history in a local database and file attributes. 
= mes) ol)! i(e aim larel=>.diale| 
>> Recent lists in various apps keeping traces of recently accessed documents. 
==> Temporary folders keeping various traces of App usage and Document usage. 
>> macOS Logs 
ee 

LINUX: 
>> Tracker Indexing 
>> Bash History 
>> USB logs 
>> Recent lists in various apps keeping traces of recently accessed documents. 
>> Linux Logs 


a> 





Forensics could’ use all those leaks (see Local Data Leaks and Forensics) to prove the existence of hidden data and defeat your attempts at 
using plausible deniability and to find out about your various sensitive activities. 


It will be therefore important to apply various steps to prevent forensics from doing this by preventing and cleaning these leaks/traces and 
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Forensics cannot extract local data leaks from an OS they cannot access. And you will be able to clean most of those traces by wiping the 
drive or by securely erasing your virtual machines (which is not as easy as you think on SSD drives). 


Some cleaning techniques will nevertheless be covered in the “Cover your Tracks” part of this guide at the very end. 
ONLINE DATA LEAKS: 


Whether you are using simple encryption or plausible deniability encryption. Even if you covered your tracks on the computer itself. There is 
still a risk of online data leaks that could reveal the presence of hidden data. 


Telemetry is your enemy. As explained earlier in this guide, the telemetry of Operating Systems but also from Apps can send staggering 
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readily available at Microsoft. Therefore, it is critically important that you disable and block telemetry with all the means at your disposal. No 
matter what OS you are using. 


Conclusion: 


You should never conduct sensitive activities from a non-encrypted system. And even if it is encrypted, you should never conduct sensitive 
activities from the Host OS itself. Instead, you should use a VM to be able to efficiently isolate and compartmentalize your activities and 
prevent local data leaks. 
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Tails route) for convenience. This guide will help you hardening it as much as possible to prevent leaks. This guide will also help you 
hardening macOS and Linux as much as possible to prevent similar leaks. 


If you have no interest in OS-wide plausible deniability and want to learn to use Linux, | will strongly recommend going for Linux or the Qubes 
OS route if your hardware allows it. 


Tale} | Mor: (-1-\-¥am dal- aLoy-j Ole M-Jalol0] (eM al: \V(-1 mm ol: MUl-t-1o Mm voMere) alel Ue m-J-)al-Jithi-m-Leq thd la (-t- ell a=\ead hm Mal: M ley) Olo MN UII mola) hValol-MUl-y-Yo Mm comere) a] al-Yoi mi cole | 
roLU} o) irom Atl at Neter-t-t-Ms eco) al mm Mali Mm ol-M (cli mUlalercy-LemNali(:Mmvcele mere) aol U(eqm-1-var-diah-mr- Led tAvaii(-t-Mr-lavem-Jarvelel(omel:r-lihvmavelm@el-Mel-{-le ce) mr-laN mel 
your day-to-day activities. 


Consider also reading https://www.whonix.org/wiki/Full_ Disk_Encryption#Encrypting Whonix_VMs [A'chive.org] 


Linux Host OS: 
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you should reinstall a fresh clean OS. If you do not want to wipe your laptop and start over, you should consider the Tails route or proceed at 
your own risk. 
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You should always remember that despite the reputation, Linux mainstream distributions (Ubuntu for instance) are not necessarily better at 
security than other systems such as macOS and Windows. See this reference to understand why https://madaidans- 


insecurities.github.io/linux.html Archive.org] 


Full disk encryption: 
There are two routes here with Ubuntu or Debian based distros: 
>> Using LUKS: 
>> Without plausible deniability: 


>> (Recommended and easy) Encrypt as part of the installation process: https://ubuntu.com/tutorials/install-ubuntu-desktop 
NKeali=melne) 


>> This process requires the full erasure of your entire drive (clean install). 
>> Just check the “Encrypt the new Ubuntu installation for security” 
>> (Tedious but possible) Encrypt after installation: https://help.ubuntu.com/community/ManualFullSystemEncryption Archive.org] 
>> With plausible deniability: See the next section The Detached Headers Way 
>> Using Veracrypt: 


>> With or without plausible deniability: See the next section The Veracrypt Way 





For other distros, you will have to document yourself, but it will likely be similar. Encryption during install is just much easier in the context of 
idalisme lel (e(=m 


Note about plausible deniability on Linux: 


There are several ways to achieve plausible deniability on Linux??? and it is possible to achieve. Here are some more details about some of 
the ways | would recommend. All these options require some higher level of skills at using Linux. 


THE DETACHED HEADERS WAY: 
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For now, | will redirect you toward this page for more information: https://wiki.archlinux.org/title/Dm- 


crypt/Specialties#Encrypted_system_using_a_detached_LUKS_header [A'chive.org] 


THE VERACRYPT WAY: 


It is technically possible to not only use Veracrypt but also to achieve plausible deniability on a Linux Host OS by using Veracrypt for system 
full-disk encryption (instead of LUKS). This is not supported by Veracrypt (System encryption is only supported on Windows) and requires 
some tinkering with various commands. This is not recommended at all for unskilled users and should only be used at your own risk. 


The steps to achieve this are not yet integrated into this guide but can be found here: 
http://dreadytofatroptsdj6io7I3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/5779e55aae7fc06e4758 (this is a .onion address and requires 
Tor Browser). 


Reject/Disable any telemetry: 


>> During the install, just make sure you do not allow any data collection if prompted. 


>> If you are not sure, just make sure you did not enable any telemetry and follow this tutorial if needed https://vitux.com/how-to-force- 
ubuntu-to-stop-collecting-your-data-from-your-pe/ !Archive.org] 


>> Any other distro: You will need to document yourself and find out yourself how to disable telemetry if there is any. 


Disable anything unnecessary: 


>> Disable Bluetooth if enabled by following this guide https://www.addictivetips.com/ubuntu-linux-tips/disable-bluetooth-in-ubuntu/ 
[Archive.org] or jgsuing the following command: 


>> sudo systemctl disable bluetooth.service --force 
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completely-disable-tracker.html Archive.org] or issuing the following commands: 


>> sudo systemctl --user mask tracker-store.service tracker-miner-fs.service tracker-miner-rss.service 
tracker-extract.service tracker-miner-apps.service tracker-writeback.service 


>> You can safely ignore any error if it says some service does not exist 


==> sudo tracker reset -hard 


HIBERNATION: 


As explained previously, you should not use the sleep features but shut down or hibernate your laptop to mitigate some evil-maid and cold- 
lofole)mr=|ir=(e),<omm Ol ayie) ace lar-ic>)hamcalimict-1(Ul co [ome ltst-]e)(=10 Mm OhVare(=1r- 16] me) Mmant~lan’a minl ly @cell-1ixe\om lave! (0(el/alem@lele|ai0 mm | mcm ofes-\-J|0)(om(oM-lar-le)(-mlemolulmimaal(elals 
not work as expected. Follow this information at your own risk. If you do not want to do this, you should never use the sleep function and 
power off instead (and set the lid closing behavior to power off instead of sleep). 
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>> https://www.how2shout.com/linux/how-to-hibernate-ubuntu-20-04-Its-focal-fossa/ [Archive.org] 
>> http:/Awww.lorenzobettini.it/2020/07/enabling-hibernation-on-ubuntu-20-04/ [Archive.org] 
>> https://blog.ivansmirnov.name/how-to-set-up-hibernate-on-ubuntu-20-04/ [Archive.org] 


After Hibernate is enabled, change the behavior so that your laptop will hibernate when you close the lid by following this tutorial for Ubuntu 
20.04 http://ubuntuhandbook.org/index.php/2020/05/lid-close-behavior-ubuntu-20-04/ [Archive.org] and this tutorial for Ubuntu 18.04 


https://tipsonubuntu.com/2018/04/28/change-lid-close-action-ubuntu-18-04-Its/ A'chive.org]_ There is no tutorial yet for Ubuntu 21.04 or 21.10 
but the above for 20.04 should probably work too. 
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[Archive.org] 
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Enable MAC address randomization: 


>> Ubuntu, follow these steps https://help.ubuntu.com/community/AnonymizingNetworkMACAddresses [rchive.org] 





>> Any other distro: you will have to find the documentation yourself, but it should be quite similar to the Ubuntu tutorial. 


>> Consider this tutorial which should still work: https://josh.works/shell-script-basics-change-mac-address [A'chive.org] 


Hardening Linux: 


As a light introduction for new Linux users, consider https://www.youtube.com/watch?v=Sa0KqbpLye4 l!nvidious] 
For more in-depth and advanced options, refer to: 
>> This excellent guide: https://madaidans-insecurities.github.io/guides/linux-hardening.html [Archive.org] 
>> This excellent wiki resource: https://wiki.archlinux.org/title/Security A"en've.org] 
>> These excellent scripts are based on the guide and wiki above: https://codeberg.org/SalamanderSecurity/PARSEC [A'chive.org] 
>> These tools that can help you harden your Linux Kernel: 
>> Lynis: https://github.com/CISOfy/lynis 
>> Kconfig-hardened-check: https://github.com/a13xp0p0v/kconfig-hardened-check 
>> Consider the use of KickSecure when using Debian: https://www.whonix.org/wiki/Kicksecure [Archive.org] 
>> This interesting article: http://Opointer.net/blog/authenticated-boot-and-disk-encryption-on-linux.html [A’chive.org] 
Setting up a safe Browser: 
See Appendix G: Safe Browser on the Host OS 


macOS Host OS: 
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you should reinstall a fresh clean OS. If you do not want to wipe your laptop and start over, you should consider the Tails route or proceed at 
your own risk. 
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During the install: 

>> Stay Offline 

>> Disable all data sharing requests when prompted including location services 

>> Do not sign in with Apple 


= am Dom ale)m-lat-le)(-eel ld 


Hardening macOS: 


As a light introduction for new macOS users, consider https://www.youtube.com/watch?v=IFx5icuE6lo !!nvidious] 
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issues: https://github.com/drduh/macOS-Security-and-Privacy-Guide [A'chive.org] 


Here are the basic steps you should take after your offline installation: 


ENABLE FIRMWARE PASSWORD WITH “DISABLE-RESET-CAPABILITY” OPTION: 
First, you should set up a firmware password following this guide from Apple: https://support.apple.com/en-us/HT 204455 [Archive.org] 


Unfortunately, some attacks are still possible and an adversary could disable this password so you should also follow this guide to prevent 
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ENABLE HIBERNATION INSTEAD OF SLEEP: 


Again, this is to prevent some cold-boot and evil-maid attacks by powering down your RAM and cleaning the encryption key when you close 
the lid. You should always either hibernate or shut down. On macOS, the hibernate feature even has a special option to specifically clear the 
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hibernation: 


>> Open a Terminal 


>> Run: sudo pmset -a destroyfvkeyonstandby 1 





>> This command will instruct macOS to destroy the Filevault key on Standby (sleep) 
>> Run: sudo pmset -a hibernatemode 25 


>> This command will instruct macOS to power off the memory during sleep instead of doing a hybrid hibernate that keeps the 
memory powered on. It will result in slower wakes but will increase battery life. 
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In addition, you should also set up an automatic sleep (Settings > Energy) so that your MacBook will hibernate automatically if left 
unattended. 


DISABLE UNNECESSARY SERVICES: 
Disable some unnecessary settings within the settings: 
=m D)i-¥-10)(-m =) (e(-1hele) in) 
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>> Disable Location Services 
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PREVENT APPLE OCSP CALLS: 


These are the infamous “unblockable telemetry” calls from macOS Big Sur disclosed here: https://sneak.berlin/20201112/your-computer-isnt- 
yours/ [Archive.org] 
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>> sudo sh -c ‘echo "127.0.0.1 ocsp.apple.com" >> /etc/hosts' 
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ocsp/ [Archive.org] 


Up to you really. | would block it because | do not want any telemetry at all from my OS to the mothership without my specific consent. None. 
ENABLE FULL DISK ENCRYPTION (FILEVAULT) : 
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Security-and-Privacy-Guide#full-disk-encryption Archive.org] 
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This will be reset at each reboot, and you will have to re-do it each time to ensure you do not use your actual MAC Address when connecting 
to various Wi-Fis 


bo) Umer-lalo(omsalisme)’allss16l|alemeal-mie)l (ey ialemere)palant=larelcmiamclsanliarclm@uaitarelel mual-Mer-le-aliatotsi-1) 
>> (Turn the Wi-Fi off) networksetup -setairportpower en@ off 
>> (Change the MAC Address) sudo ifconfig en@ ether 88:63:11:11:11:11 
>> (Turn the Wi-Fi back on) networksetup -setairportpower en@ on 

Setting up a safe Browser: 

See Appendix G: Safe Browser on the Host OS 


Windows Host OS: 
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you should reinstall a fresh clean OS. If you do not want to wipe your laptop and start over, you should consider the Tails route or proceed at 
your own risk. 
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Installation: 
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As a light introduction, consider watching https://www.youtube.com/watch?v=vNRics7tlqw [!nvidious] 


Enable MAC address randomization: 





You should randomize your MAC address as explained earlier in this guide: 


Go into Settings > Network & Internet > Wi-Fi > Enable Random hardware addresses 


Alternatively, you could use this free piece of software: https://technitium.com/tmac/ !A’chive.org] 


Setting up a safe Browser: 


See Appendix G: Safe Browser on the Host OS 


Enable some additional privacy settings on your Host OS: 


See Appendix B: Windows Additional Privacy Settings 


WINDOWS HOST OS ENCRYPTION: 


IF YOU INTEND TO USE SYSTEM-WIDE PLAUSIBLE DENIABILITY: 


Veracrypt?°? is the software | will recommend for full-disk encryption, file encryption, and plausible deniability. It is a fork of the well-known 
lo}U)meol~)e)x-Yer=1x-vom=|aeMelalpar=lialr=lial=1e Mm Ma6(-\@7 av, 01am | mer- [alm 0-0 Ic\-10 0) ps 


>> Full Disk simple encryption (your hard drive is encrypted with one passphrase). 


>> Full Disk encryption with plausible deniability (this means that depending on the passphrase entered at boot, you will either boot a 
(ol =Yere)’m Ole me) mr- mal(e(el-)a Oo) F 


>> File container simple encryption (it is a large file that you will be able to mount within Veracrypt as if it were an external drive to store 
encrypted files within). 


>> File container with plausible deniability (it is the same large file but depending on the passphrase you use when mounting it, you will 
either mount a “hidden volume” or the “decoy volume’). 


moms aahVan dale) Vi (oveletomtal>me) al \vaCere)an’csvall=valar=] are Melst>1e)(-m e\var-lahye)al=) Mik=l> Mme) 01>) alecieU|Kex> mural ale me) el-) a) NY audited?°4 encryption software that also 
provides plausible deniability for widespread use and it works with Windows Home Edition. 


Go ahead and download and install Veracrypt from: https://www.veracrypt.fr/en/Downloads.html Archive.org] 
After installation, please take a moment to review the following options that will help mitigate some attacks: 


>> Encrypt the memory with a Veracrypt option®®° (settings > performance/driver options > encrypt RAM) at a cost of 5-15% performance. 
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altogether to mitigate some cold-boot attacks. More details about this feature here: 
https://sourceforge.net/p/veracrypt/discussion/technical/thread/3961542951/ [Archive.org] 


>> Enable the Veracrypt option to wipe the keys from memory if a new device is inserted (system > settings > security > clear keys from 
memory if a new device is inserted). This could help in case your system is seized while still on (but locked). 


>> Enable the Veracrypt option to mount volumes as removable volumes (Settings > Preferences > Mount volume as removable media). 
This will prevent Windows from writing some logs about your mounts in the Event logs°6 and prevent some local data leaks. 


>> Be careful and have a good situational awareness if you sense something weird. Shut your laptop down as fast as possible. 


If you do not want to use encrypted memory (because performance might be an issue), you should at least enable hibernation instead of 
sleep. This will not clear the keys from memory (you are still vulnerable to cold boot attacks) but at least should mitigate them if your memory 
larckom-varelulelam (iaal-m\eme(-ler-\VA 


More details later in Route A and B: Simple Encryption using Veracrypt (Windows tutorial). 


IF YOU DO NOT INTEND TO USE SYSTEM-WIDE PLAUSIBLE DENIABILITY: 


For this case, | will recommend the use of BitLocker instead of Veracrypt for the full disk encryption. The reasoning is that BitLocker does not 
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you reveal the passphrase. 


Normally, you should have installed Windows Pro in this case and the BitLocker setup is quite straightforward. 


Basically, you can follow the instructions here: https://support.microsoft.com/en-us/windows/turn-on-device-encryption-0c453637-bc88-5f74- 
5105-741561aae838 Archive.org} 


But here are the steps: 
>> Click the Windows Menu 
>> Type “Bitlocker” 
>> Click “Manage Bitlocker” 
>> Click “Turn on Bitlocker” on your System Drive 
>> Follow the instructions 
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>> Only save the recovery key to an external encrypted drive. To bypass this, print the recovery key using the Microsoft 
Print to PDF printer and save the key within the Documents folder. Delete that file later. 


>> Encrypt Entire Drive (do not encrypt the used disk space only). 
>> Use “New Encryption Mode” 
>> Run the BitLocker Check 
>> Reboot 
>> Encryption should now be started in the background (you can check by clicking the Bitlocker icon on the lower right side of the taskbar). 


Unfortunately, this is not enough. With this setup, your Bitlocker key can just be stored as-is in the TPM chip of your computer. This is rather 


problematic as the key can be extracted in some cases with ease23338:339'340 


To mitigate this, we will have to enable a few more options as per the recommendations of Microsoft*4!: 
=> Click the Windows icon 
>> Type Run 
>> Type “gpedit.msc’ (this is the group policy editor) 
>> Navigate to Computer Configuration > Administrative Templates > Windows Components > BitLocker > Operating System Drives 
>> Double Click the “Require Additional Authentication at Startup” 
=> Click the “Configure TPM Startup PIN” and set it to “Require Startup PIN with TPM” 
>> Double Click the “Allow enhanced PINs for startup” 
>> Click the “Enable” (this will allow us to set a password rather than a PIN) 
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>> Click the Windows icon 
>> Type Command to display the “Command Prompt” 
>> Right Click on it and click “Run as Administrator” 
>> Run manage-bde -protectors -delete c: (this will delete current protection: the recovery key we will not need) 
>> Run manage-bde -protectors -add c: -TPMAndPIN (this will prompt you for a pre-boot password) 
>> Enter a password or passphrase of your choice (a good one) 
==> Run manage-bde -status 
>> You should now see at your C: drive below “Key Protectors” the option “TPM and PIN” 
>> You are done 
Now when you reboot your computer, you should ideally be prompted for: 
>> A BIOS/UEFI boot password 
>> An SSD/HDD unlock password (if the feature is available on your BIOS) 
>> A Bitlocker Pre-Boot Pin Screen where you need to enter the password/passphrase you just set-up 


>> And finally, the Windows Logon Screen where you can enter the credentials you set-up earlier 


ENABLE HIBERNATION (OPTIONAL): 


Again, as explained earlier. You should never use the sleep/stand-by feature to mitigate some cold-boot and evil-maid attacks. Instead, you 
should Shut down or hibernate. You should therefore switch your laptop from sleeping to hibernating when closing the lid or when your laptop 
goes to sleep. 
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The reason is that Hibernation will actually shut down your laptop completely and clean the memory. Sleep on the other hand will leave the 
memory powered on (including your decryption key) and could leave your laptop vulnerable to cold-boot attacks. 
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>> Open an administrator command prompt (right-click on Command Prompt and “Run as Administrator’) 
>> Run: powercfg.exe /hibernate on 
>> Now run the additional command: **powercfg /h /type full** 
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After that you should go into your power settings: 
>> Open the Control Panel 
>> Open System & Security 
==> Open Power Options 
>> Open “Choose what the power button does” 
=> Change everything from sleep to hibernate or shutdown 
>> Go back to the Power Options 
>> Select Change Plan Settings 
>> Select Advanced Power Settings 
>> Change all the Sleep Values for each Power Plan to 0 (Never) 
>> Make sure Hybrid Sleep is Off for each Power Plan 
>> Enable Hibernate After the time you would like 
>> Disable all the Wake timers 


Deciding which sub-route you will take: 


Now you will have to pick your next step between two options: 
==> Route A: Simple encryption of your current OS 

>> Pros: 
>> Does not require you to wipe your laptop 
>> No issue with local data leaks 
>> Works fine with an SSD drive 
=> Works with any OS 
>> Simple 

>> Cons: 
==> You could be compelled by an adversary to reveal your password and all your secrets and will have no plausible deniability. 
>> The danger of Online data leaks 

>> Route B: Simple encryption of your current OS with later use of plausible deniability on files themselves: 

==> Pros: 
>> Does not require you to wipe your laptop 
=> Works fine with an SSD drive 
>> Works with any OS 
=> Plausible deniability is possible with “soft” adversaries 

>> Cons: 
>> The danger of Online Data leaks 
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>> Pros: 
>> No issues with local Data leaks 
=> Plausible deniability is possible with “soft” adversaries 
>> Cons: 
>> Requires Windows (this feature is not “easily” supported on Linux). 
>> The danger of online Data leaks 


>> Requires full wipe of your laptop 





>> No use with an SSD drive due to the requirement of disabling Trim?42 Operations®**°. This will severely degrade the 
performance/health of your SSD drive over time. 
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adversary. Remember https://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis !klless] [Archive.org]_ 
Deciding which route you will take is up to you. Route A is a minimum. 


Always be sure to check for new versions of Veracrypt frequently to ensure you benefit from the latest patches. Especially check 
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NOTE THAT BY DEFAULT VERACRYPT WILL ALWAYS PROPOSE A SYSTEM PASSWORD IN QWERTY (display the password as a 
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password in QWERTY and will input it at boot time in AZERTY. So, make sure you check when doing the test boot what keyboard 
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you will need to type the password in QWERTY within Veracrypt. 


ROUTE A AND B: SIMPLE ENCRYPTION USING VERACRYPT (WINDOWS TUTORIAL) 
Skip this step if you used BitLocker instead earlier. 


You do not have to have an HDD for this method, and you do not need to disable Trim on this route. Trim leaks will only be of use to forensics 
in detecting the presence of a Hidden Volume but will not be of much use otherwise. 


This route is rather straightforward and will just encrypt your current Operating System in place without losing any data. Be sure to read all 
the texts Veracrypt is showing you, so you have a full understanding of what is going on. Here are the steps: 


>> Launch VeraCrypt 
>> Go into Settings: 
>> Settings > Performance/driver options > Encrypt RAM 
>> System > Settings > Security > Clear keys from memory if a new device is inserted 
>> System > Settings > Windows > Enable Secure Desktop 
>> Select System 
>> Select Encrypt System Partition/Drive 
>> Select Normal (Simple) 
>> Select Single-Boot 
>> Select AES as encryption Algorithm (click the test button if you want to compare the speeds) 
>> Select SHA-512 as hash Algorithm (because why not) 
>> Enter a strong passphrase (longer the better, remember Appendix A2: Guidelines for passwords and passphrases) 
>> Collect some entropy by randomly moving your cursor around until the bar is full 


>> Click Next as the Generated Keys screen 


>> To rescue disk°“* or not rescue disk, well that is up to you. | recommend making one (just in case), just make sure to store it outside 
your encrypted drive (USB key for instance or wait and see the end of this guide for guidance on safe backups). This rescue disk will 
not store your passphrase and you will still need it to use it. 


>> Wipe mode: 
>> If you have no sensitive data yet on this laptop, select None 


>> If you have sensitive data on an SSD, Trim alone should take care of it°*° but | would recommend one foy=tstomm (r= Jale(oaamer=\r- ML Ukmce) 
be sure. 


>> If you have sensitive data on an HDD, there is no Trim, and | would recommend at least 1-pass. 


>> Test your setup. Veracrypt will now reboot your system to test the bootloader before encryption. This test must pass for encryption to go 
forward. 


>> After your computer rebooted and the test is passed. You will be prompted by Veracrypt to start the encryption process. 
>> Start the encryption and wait for it to complete. 
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There will be another section on creating encrypted file containers with Plausible Deniability on Windows. 


ROUTE B: PLAUSIBLE DENIABILITY ENCRYPTION WITH A HIDDEN OS (WINDOWS ONLY) 


This is only supported on Windows. 
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full clean installation that will wipe everything on your laptop. 


Read the Veracrypt Documentation https://www.veracrypt.fr/en/VeraCrypt%20Hidden%20Operating%20System.html !A’chive.org] (Process of 
Creation of Hidden Operating System part) and https://www.veracrypt.fr/en/Security% 20Requirements%20for%20Hidden%20Volumes.html 


[Archive.org] (Security Requirements and Precautions Pertaining to Hidden Volumes). 


This is how your system will look after this process is done: 





(Illustration from Veracrypt Documentation, https://veracrypt.fr/en/VeraCrypt%20Hidden%20Operating%20System.html [Archive.org]) 
As you can see this process requires you to have two partitions on your hard drive from the start. 
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>> Encrypt your second partition (the outer volume) that will look like an empty unformatted disk from the decoy OS. 

>> Prompt you with the opportunity to copy some decoy content within the outer volume. 

>> This is where you will copy your decoy Anime/Porn collection from some external hard drive to the outer volume. 

>> Create a hidden volume within the outer volume of that second partition. This is where the hidden OS will reside. 
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>> Wipe your currently running Windows 10. 


>> This means that your current Windows 10 will become the hidden Windows 10 and that you will need to reinstall a fresh decoy 
Windows 10 OS. 


MEVater-\kol availa ’Colemal-\-Mr-lameto) Biola hY{-M-lalemolUm-idl lM c-Talmcome(omaal(-w-ler-llal-jmaal-macKerelealiel:laler-li(e)a pm BI (-y-le)(-moto] DMN Malaria) Windows*“° 
Ter Tamaalcm cm LOM Me c:Cerolanlat-lale(-cem-lar-l|M-tmelty-le) lave mm bala iam ic-y-) bm cmalle lal hacdery el (ey (elu pmw-Nvomr-I-Mual-Jaldrolac-rem-y-lal(-)emelt-y-le)iiare mina itm ULL 
=XolUCex-Maa=Mliicitlei(- Mey m Lolli moto) PMel ah: M-laremy Uli m-ilelaliiter-Talthvalanl ex-(eqMi tm ol-)ace)aant-lalex-MehV{-)mmdltl-Mavcelelmmr-lelce)omyUli mel:\erelan(-M-J(e)i\(-]mr-lale, 

J fo)" (=) mohV{-1 me -X-NV-1 =] ance) aliatcwe) MOLY: Melald| Mim el-Lexe)eat-\-w-l(pares-imUlalercr-le)(-Mm'ZolUMY U1 Mant-)amar- cm comes (:t-lamial-MelahY(-M-lalemactilacie-l) 


CVT avadalialep Mm =LelMmaYcolemailercymelomi mom ela-\\(-lalmel-l i.) leaks°*“’ that could allow forensics to defeat your plausible deniability°*°°*9. The 
roy aT NAN CMa Leeder ace Mm talecwr-l am dal-male)talcvalM cM com al-\d-M- Ml] elke) om Uidem-Melt-l-1-)(em nD) Del ahi/-mlal-ji:t-[ep 


STEP 1: CREATE A WINDOWS 10 INSTALL USB KEY 
See Appendix C: Windows Installation Media Creation and go with the USB key route. 
STEP 2: BOOT THE USB KEY AND START THE WINDOWS 10 INSTALL PROCESS (HIDDEN OS) 

>> Insert the USB key into your laptop 


>> See Appendix A: Windows Installation and proceed with installing Windows 10 Home. 


STEP 3: PRIVACY SETTINGS (HIDDEN OS) 

See Appendix B: Windows Additional Privacy Settings 

STEP 4: VERACRYPT INSTALLATION AND ENCRYPTION PROCESS START (HIDDEN OS) 

Remember to read https://www.veracrypt.fr/en/VeraCrypt%20Hidden%20Operating%20System.html [Archive.org] 
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here using a USB key. Here are the steps: 


>> Install Veracrypt 
>> Start Veracrypt 
>> Go into Settings: 


m= 1001 010 [Mee wa =) (0) UpaT= | ALeX>1001 HN=) Mme) O10) als Meme ml ALOLAV OM RVAVMCalol i: Mi at- 1m daleme) ol itelamicmalelmexeyialey-iile)(-Mudidemalley:aar-lile)amicele]mr-leice)) 
Vale mait-t-larmcelem al mar Wd-mcom-Jalelmelon Vamere)anle)(-1c-1hva) 


>> System > Settings > Security > Clear keys from memory if a new device is inserted 





>> System > Settings > Windows > Enable Secure Desktop 
>> Go into System and select Create Hidden Operating System 
==> Read all the prompts thoroughly 
>> Select Single-Boot if prompted 
>> Create the Outer Volume using AES and SHA-512. 
>> Use all the space available on the second partition for the Outer Volume 
>> Use a strong passphrase (remember Appendix A2: Guidelines for passwords and passphrases) 
>> Select yes to Large Files 


>> Create some Entropy by moving the mouse around until the bar is full and select NTFS (do not select exFAT as we want this outer 
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>> Format the Outer Volume 
>> Open Outer Volume: 


>> At this stage, you should copy decoy data onto the outer volume. So, you should have some sensitive but not so sensitive 
files/folders to copy there. In case you need to reveal a password to this Volume. This is a good place for your 
Anime/Mp3/Movies/Porn collection. 


>> | recommend you do not fill the outer volume too much or too little (about 40%). Remember you must leave enough space for the 
Hidden OS (which will be the same size as the first partition you created during installation). 


>> Use a strong passphrase for the Hidden Volume (obviously a different one than the one for the Outer Volume). 
>> Now you will create the Hidden Volume, select AES and SHA-512 

>> Fill the entropy bar until the end with random mouse movements 

=> Format the hidden Volume 

>> Proceed with the Cloning 


=> Veracrypt will now restart and Clone the Windows where you started this process into the Hidden Volume. This Windows will become 
your Hidden OS. 


>> When the cloning is complete, Veracrypt will restart within the Hidden System 


>> Veracrypt will inform you that the Hidden System is now installed and then prompt you to wipe the Original OS (the one you installed 
previously with the USB key). 


==> Use 1-Pass Wipe and proceed. 
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Now that the Hidden OS is fully installed, you will need to install a Decoy OS: 
>> Insert the USB key into your laptop 


==> See Appendix A: Windows Installation and proceed with installing Windows 10 Home again (do not install a different version and stick 
with Home). 
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See Appendix B: Windows Additional Privacy Settings 
STEP 7: VERACRYPT INSTALLATION AND ENCRYPTION PROCESS START (DECOY OS) 
Now we will encrypt the Decoy OS: 
>> Install Veracrypt 
>> Launch VeraCrypt 
>> Select System 
=> Select Encrypt System Partition/Drive 
>> Select Normal (Simple) 
>> Select Single-Boot 
>> Select AES as encryption Algorithm (click the test button if you want to compare the speeds) 
>> Select SHA-512 as hash Algorithm (because why not) 


>> Enter a short weak password (yes this is serious, do it, it will be explained later). 





>> Collect some entropy by randomly moving your cursor around until the bar is full 


>> Click Next as the Generated Keys screen 


>> To rescue disk°°? or not rescue disk, well that is up to you. | recommend making one (just in case), just make sure to store it outside 
your encrypted drive (USB key for instance or wait and see the end of this guide for guidance on safe backups). This rescue disk will 
not store your passphrase and you will still need it to use it. 


>> Wipe mode: Select 1-Pass just to be safe 


>> Pre-Test your setup. Veracrypt will now reboot your system to test the bootloader before encryption. This test must pass for encryption 
to go forward. 


>> After your computer rebooted and the test is passed. You will be prompted by Veracrypt to start the encryption process. 
>> Start the encryption and wait for it to complete. 


>> Your Decoy OS is now ready for use. 


Sy =) os a =i 400) nS) =i 0) a @=10/0) MN =O 0D 

Time to test your setup: 
>> Reboot and input your Hidden OS passphrase, you should boot within the Hidden OS. 
==> Reboot and input your Decoy OS passphrase, you should boot within the Decoy OS. 


>> Launch Veracrypt on the Decoy OS and mount the second partition using the Outer Volume Passphrase (mount it as read-only, by 
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from your Hidden OS. 


STEP 9: CHANGING THE DECOY DATA ON YOUR OUTER VOLUME SAFELY 


Before going to the next step, you should learn the way to mount your Outer Volume safely for writing content on it. This is also explained in 


this official Veracrypt Documentation https://www.veracrypt.fr/en/Protection%200f%20Hidden%20Volumes.html !Archive.org] 
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the Hidden Volume from being overwritten. Veracrypt will then allow you to write data to the Outer volume without risking overwriting any data 
on the Hidden Volume: 


>> Open Veracrypt 

>> Select your Second Partition 

>> Click Mount 
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>> Check the “Protect the Hidden volume...” Option 

>> Enter the Hidden OS passphrase 

>> Click OK 

>> Enter your Outer Volume passphrase 

>> Click OK 

mm (0)0 J 0010] (0M ale)’ o> m-10)(- meme) el-yamr-lale Mm’ si(>mcomt(ol0)/ mm @]0ic-1mnvce)|Ulaal-miemezal-lale (om ial>mexe)al(=laim (exe) 6) Via nle)’{-740(>)(510-7,-10 || 


iM aliswe) oy=1e-10(e) am’ V1| male) m= ever-lihyaaatele)almiarcm mi(ecel-yamavce)i0)anl-mr-lalem=)arel0|(om e)x-\V/-/a)mial-mein-t-18(0) ame) m-lahvaie)K/als)(em=\'/(0(-)ale;-meal-]merel6] (om (=t- (em Comral~ 
discovery of the hidden OS. However, while you are performing this operation, both passwords will be stored in your RAM and therefore you 
could still be susceptible to a Cold-Boot Attack. To mitigate this, be sure to have the option to encrypt your RAM too as instructed before. 
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We must make the Decoy OS as plausible as possible. We also want your adversary to think you are not that smart. 


Therefore, it is important to voluntarily leave some forensic evidence of your Decoy Content within your Decoy OS. This evidence will let 
forensic examiners see that you mounted your Outer Volume frequently to access its content. 


Here are useful tips to leave some forensics evidence: 
>> Play the content from the Outer Volume from your Decoy OS (using VLC for instance). Be sure to keep a history of those. 
>> Edit Documents and work on them. 
>> Enable File Indexing again on the Decoy OS and include the Mounted Outer Volume. 
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>> Copy some Content from your Outer Volume to your Decoy OS and then delete it unsafely (just put it in the recycle Bin). 


>> Have a Torrent Client installed on the Decoy OS use it from time to time to download some similar stuff that you will leave on the Decoy 
OS. 


>> You could have a VPN client installed on the Decoy OS with a known VPN of yours (non-cash paid). 
Do not put anything suspicious on the Decoy OS such as: 
>> This guide 
>> Any links to this guide 
>> Any suspicious anonymity software such as Tor Browser 
NOTES: 
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>> You are using Veracrypt because you are using Windows 10 Home which does not feature Bitlocker but still wanted Privacy. 
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Take some time to read again the “Possible Explanations for Existence of Two Veracrypt Partitions on Single Drive” of the Veracrypt 


documentation here https://www.veracrypt.fr/en/VeraCrypt% 20Hidden%20Operating%20System.html [Archive.org] 
Be careful: 
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anyway (intentionally or by mistake) from the Decoy OS, there are ways to erase forensics evidence that will be explained later at the 
Valo mo) mialiome lle (oe 


>> Never Use the Decoy OS from the same network (public Wi-Fi) as the Hidden OS. 
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>> Note that you will not use the Hidden OS to perform sensitive activities, this will be done later from a VM within the Hidden 
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to reveal your password. 


>> Be careful of any tampering with your laptop. Evil-Maid Attacks can reveal your hidden OS. 


Virtualbox on your Host OS: 


Remember Appendix W: Virtualization. 


This step and the following steps should be done from within the Host OS. This can either be your Host OS with simple encryption 
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In this route, we will make extensive use of the free Oracle Virtualbox°°' software. This is a virtualization software in which Wiolumer=|amei cera] (=) 
Virtual Machines that emulate a computer running a specific OS (if you want to use something else like Xen, Qemu, KVM, or VMWARE, feel 
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So, you should be aware that Virtualbox is not the virtualization software with the best track record in terms of security and some of the 
reported issues*°? have not been (oxo) an) e)(=1(>)Namip.csxe KOMI al ts date®°? and if you are using Linux with a bit more technical skills, you should 
consider using KVM instead by following the guide available at Whonix here https://www.whonix.org/wiki/KVM [A'chive.org] and here 
https://www.whonix.org/wiki/KVM#Why_Use_KVM_Over_VirtualBox.3F [Atchive.org] 


Some steps should be taken in all cases: 


All your sensitive activities will be done from within a guest Virtual Machine running Windows 10 Pro (not Home this time), Linux, 
or macOS. 


This has a few advantages that will help you remain anonymous: 


>> It should prevent the guest VM OS (Windows/Linux/macOS), Apps, and any telemetry within the VMs from accessing your hardware 
directly. Even if your VM is compromised by malware, this malware should not be able to the VM and compromise your actual laptop. 


>> It will allow us to force all the network traffic from your client VM to run through another Gateway VM that will direct (torify) all the traffic 
towards the Tor Network. This is a network “kill switch”. Your VM will lose its network connectivity completely and go offline if the other 





VM loses its connection to the Tor Network. 
>> The VM itself that only has internet connectivity through a Tor Network Gateway will connect to your cash-paid VPN service through Tor. 
>> DNS Leaks will be impossible because the VM is on an isolated network that must go through Tor no matter what. 


Pick your connectivity method: 


There are seven possibilities within this route: 
>> Recommended and preferred: 
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>> Use VPN over Tor (User > Tor > VPN > Internet) in specific cases 
>> Use a VPS with a self-hosted VPN/Proxy over Tor (User > Tor > Self-Hosted VPN/Proxy > Internet) in specific cases 
>> Possible if required by context: 
>> Use VPN over Tor over VPN (User > VPN > Tor > VPN > Internet) 
=> Use Tor over VPN (User > VPN > Tor > Internet) 
==> Not recommended and risky: 
>> Use VPN alone (User > VPN > Internet) 
>> Use VPN over VPN (User > VPN > VPN > Internet) 
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>> No VPN and no Tor (User > Internet) 





Tor only: 


This is the preferred and most recommended solution. 


Virtual Machine 
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section. 


VPN/Proxy over Tor: 


This solution can bring some benefits in some specific cases vs using Tor only where accessing the destination service would be impossible 
from a Tor Exit node. This is because many services will just outright ban, hinder, or block Tor Exit Nodes (see 
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This solution can be achieved in two ways: 


=> Paid VPN over Tor (easiest) 





>> Paid Self-Hosted VPS configured as VPN/Proxy (most efficient in avoiding online obstacles such as captchas but requiring more skills 
with Linux) 


As you can see in this illustration, if your cash (preferred)/Monero paid VPN/Proxy is compromised by an adversary (despite their privacy 
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Encrypted Tor Network 


Encrypted Cash-Paid VPN 
(Warning: No Tor Stream Isolation) 


Virtual Machine eee Internet Services 





If an adversary somehow manages to compromise the Tor network too, they will only reveal the IP of a random public Wi-Fi that is not tied to 
your identity. 


If an adversary somehow compromises your VM OS (with malware or an exploit for instance), they will be trapped within the internal Network 
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Stream isolation is a mitigation technique used to prevent some correlation attacks by having different Tor Circuits for each application. Here 
is an illustration to show what stream isolation is: 


Streamlsolation 
No Streamlsolation 


3rd Node 2nd Node 1st Node 
3rd Node 2nd Node 1st Node 


dcrd Sm dcrd Ss... dcrd 


(Illustration from Marcelo Martins, ) 





VPN/Proxy over Tor falls on the right-side’’’ meaning using a VPN/Proxy over Tor forces Tor to use one circuit for all activities instead of 
multiple circuits for each. This means that using a VPN/Proxy over Tor can reduce the effectiveness of Tor in some cases and should 
therefore be used only for some specific cases: 


==> When your destination service does not allow Tor Exit nodes. 


>> When you do not mind using a shared Tor circuit for various services. For instance, when using various authenticated services. 
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of your sessions (see Your Anonymized Tor/VPN traffic). If your goal however is to use the same identity at each session on the 
same authenticated services, the value of Stream isolation is lessened as you can be correlated through other means. 


You should also know that Stream Isolation is not necessarily configured by default on Whonix Workstation. It is only pre-configured for some 
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Also, note that Stream Isolation does not necessarily change all the nodes in your Tor circuit. It can sometimes only change one or two. In 
many cases, Stream Isolation (for instance within the Tor Browser) will only change the relay (middle) node and the exit node while keeping 
the same guard (entry) node. 


More information at: 
>> https://www.whonix.org/wiki/Stream_Isolation [Archive.org] 
>> https://tails.boum.org/contribute/design/stream_isolation/ Archive.org] 
>> https://www.whonix.org/wiki/Tunnels/Introduction#Comparison_ Table [Archive.org] 
Tor over VPN: 
You might be wondering: Well, what about using Tor over VPN instead of VPN over Tor? Well, | would not necessarily it: 
>> Disadvantages: 


=> Your VPN provider is just another ISP that will then know your origin IP and will be able to de-anonymize you if required. We do 
not trust them. | prefer a situation where your VPN provider does not know who you are. It does not add much in terms of 
anonymity. 


=> This would result in you connecting to various services using the IP of a Tor Exit Node which is banned/flagged in many places. It 
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>> Advantages: 


>> The main advantage is that if you are in a hostile environment where Tor access is impossible/dangerous/suspicious, 
but VPN is okay. 


>> This method also does not break Tor Stream isolation. 
>> This also hides your Tor activities from your main ISP. 


Note, if you are having issues accessing the Tor Network due to blocking/censorship, you could try using Tor Bridges. See Appendix X: Using 
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It is also possible to consider VPN over Tor over VPN (User > VPN > Tor > VPN > Internet) using two cash/Monero paid VPNs instead. 
This means that you will connect the Host OS to a first VPN from your Public Wi-Fi, then Whonix will connect to Tor, and finally, your VM will 


connect to a second VPN over Tor over VPN (see https://www.whonix.org/wiki/Tunnels/Connecting_to_a_VPN_before_Tor Avchive.org]) 


This will of course have a significant performance impact and might be quite slow, but Tor is necessary somewhere for achieving reasonable 
anonymity. 


Achieving this technically is easy within this route, you need two separate anonymous VPN accounts and must connect to the first VPN from 
the Host OS and follow the route. 


Conclusion: Only do this if you think using Tor alone is risky/impossible but VPNs are okay. Or just because you can and so why not. This 
method will not lower your security/privacy/anonymity. 


VPN only: 
This route will not be explained nor recommended. 


im’ oleMmer- 1p MUI: a 'A od) CMs al-) gM YColU mJ alolbl (om ol: M-le](-mvom- (elo mr- Mike) mm r-\Yi-) meoh'.-) ml em-Vile Mi mol 0 mer-laMel-\-Mm Ko) mm dal-am'(ol0 mer-lam-(elem-lam-lalelanyaatrelel-y 
Wd ed) od'd- am Ke) ma oMe (=i tal-M ola-Vi-Vaa-lem-vo)iUid(o) ap 


Just using a VPN or even a VPN over VPN makes no sense as those can be traced back to you over time. One of the VPN providers will 
know your real origin IP (even if it is in a safe public space) and even if you add one over it, the second one will still know you were using that 
other first VPN service. This will only slightly delay your de-anonymization. Yes, it is an added layer ... but it is a persistent centralized added 
layer, and you can be de-anonymized over time. This is just chaining 3 ISPs that are all subject to lawful requests. 


For more info, please see the following references: 


>> https://www.whonix.org/wiki/Comparison_Of_Tor_with_CGI_ Proxies, Proxy Chains, and_VPN_Services#Tor_and_VPN_ Services Comparison 
Tacealie=melce) 


>> https://www.whonix.org/wiki/Why_does_Whonix_use_Tor Archive.org] 


>> https://www.researchgate.net/publication/324251041_Anonymity_communication VPN_and_Tor_a comparative study Archive.org] 





>> https://gist.github.com/joepie9 1/5a9909939e6ce7 d09e29#file-vpn-md [Archive.org] 
>> https://schub.wtf/blog/2019/04/08/very-precarious-narrative.html Archive.org] 
aM dats mexelalc:>4meymanl(-melel(e(-Mmm ko) m(-ma-leLella-tem-Yo)an(-h)Ual-]a-m com: Leg al(=\\.cMa-y- tye) ar-le)(-m-lalemct-1icme-lacelanyZatlisvar-larem cele m-Jacelel(eMel-X-Mi mi m\(ol0 mer- lam 


NOAA 2 \ Vs Ke) a 


If you cannot use VPN nor Tor where you are, you probably are in a very hostile environment where surveillance and control are extremely 
altel aF 


Just do not, it is not worth it and too risky IMHO. You can be de-anonymized almost instantly by any motivated adversary that could get to 
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Do not forget to check back on Adversaries (threats) and Appendix S: Check your network for surveillance/censorship using OONI. 


If you have absolutely no other option and still want to do something, see Appendix P: Accessing the internet as safely as possible when 


Conclusion: 


Ease of Access 
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resources 


Connection Type 


Tor 
Stream 
isolation 


Safer where Tor is 
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Yes 


TrAon | Sond 


Tor over VPN 


Tor over VPN 
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VPN over Tor 


Self-Hosted VPS 
VPN/Proxy over 
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PAN oleate 
50€/y 
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PAN oleate 
50€/y 
PAN colelare| 
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PAN colelare| 
100€/y 


PAN oleate 
50€/y 


PV gelelare, 
100€ 
(Antenna) 


If needed (Tor 
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If needed 
(convenience) 
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If needed 


(convenience) 
Tor 
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VPN/Proxy over Cofoy aNVZeVal (eda lors) 


Tor over VPN 


VPN/Proxy Alone 
No Tor and VPN 


Unfortunately, using Tor alone will raise the suspicion of many destinations’ platforms. You will face many hurdles (captchas, errors, 
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difficulties signing up) if you only use Tor. In addition, using Tor where you are could put you in trouble just for that. But Tor is still the best 
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>> If you intend to create persistent shared and authenticated identities on various services where access from Tor is hard, | recommend 
the VPN over Tor and VPS VPN/Proxy over Tor options (or VPN over Tor over VPN if needed). It might be a bit less secure against 
correlation attacks due to breaking Tor Stream isolation but provides much better convenience in accessing online resources than just 
using Tor. It is an “acceptable” trade-off IMHP if you are careful enough with your identity. 
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captchas and other various obstacles. In that case, a self-hosted VPS with a VPN/Proxy over Tor is the best solution for 
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Consider a Self-hosted VPN/Proxy on a Monero/Cash-paid VPS (for users more familiar with Linux) if you want the least amount 
of issues (this will be explained in the next section in more details). 


>> If your intent however is just to browse random services anonymously without creating specific shared identities, using tor friendly 
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full benefits of Stream Isolation (or Tor over VPN if you need to). 


>> If cost is an issue, | recommend the Tor Only option if possible. 


>> If both Tor and VPN access are impossible or dangerous then you have no choice but to rely on Public wi-fi safely. See Appendix P: 
Accessing the internet as safely as possible when Tor and VPNs are not an option 


For more information, you can also see the discussions here that could help decide yourself: 


>> Tor Project: https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorPlusVPN [Archive.org] 





>> Tails Documentation: 
>> https://gitlab.tails.boum.org/tails/blueprints/-/wikis/vpn_ support/ [Archive.org] 
>> https://tails.boum.org/support/faq/index.en.html#index20h2 [Archive.org] 
>> Whonix Documentation (in this order): 
>> https:/www.whonix.org/wiki/Tunnels/Introduction Archive.org] 
>> https://www.whonix.org/wiki/Tunnels/Connecting_to_Tor_before_a_VPN [Archive.org] 
>> https://www.whonix.org/wiki/Tunnels/Connecting_to_a_ VPN_before_ Tor [Archive.org] 


>> Some papers on the matter: 


>> https://www.researchgate.net/publication/324251041_Anonymity_communication_VPN_and_Tor_a_comparative_study 
[Archive.org] 


Getting an anonymous VPN/Proxy: 


Skip this step if you want to use Tor only. 
See Appendix O: Getting an anonymous VPN/Proxy 


whonix: 
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This route will use Virtualization and Whonix°°® as part of the anonymization process. Whonix is a Linux distribution composed of two Virtual 
WW FeXevallaotoe 


>> The Whonix Workstation (this is a VM where you can conduct sensitive activities) 


>> The Whonix Gateway (this VM will establish a connection to the Tor network and route all the network traffic from the Workstation 
through the Tor network). 


This guide will therefore propose two flavors of this route: 


>> The Whonix only route where all traffic is routed through the Tor Network (Tor Only or Tor over VPN). 


Whonix Gateway VM 





>> A Whonix hybrid route where all traffic is routed through a cash (preferred)/Monero paid VPN over the Tor Network (VPN over Tor or 
VPN over Tor over VPN). 





Windows 10/Whonix Workstation/ 
MacOS/Linux VM 


(Anonymous Activities) 


Whonix Gateway VM 





You will be able to decide which flavor to use based on my recommendations. | recommend the second one as explained before. 


Whonix is well maintained and has extensive and incredibly detailed documentation. 


A note on Virtualbox Snapshots: 


Later, you will create and run several Virtual Machines within Virtualbox for your sensitive activities. Virtualbox provides a feature called 


“Snapshots”?°/ that allow for saving the state of a VM at any point in time. If for any reason later you want to go back to that state, you can 
restore that snapshot at any moment. 
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This will allow you to turn your VMs into a kind of disposable “Live Operating Systems’ (like Tails discussed earlier). Meaning that you will be 
able to erase all the traces of your activities within a VM by restoring a Snapshot to an earlier state. Of course, this will not be “as good” as 
Tails (where everything is stored in memory) as there might be traces of this activity left on your hard disk. Forensics studies have shown the 


ability to recover data from a reverted VM?°8. Fortunately, there will be ways to remove those traces after the deletion or reverting to an 
earlier snapshot. Such techniques will be discussed in the Some additional measures against forensics section of this guide. 


Download Virtualbox and whonix utilities: 
» ColU i=) alolUl(e mele) ial(or=\emr-Mic\imvaliare smi liallamsal-male)-)m Oley 


>> The latest version of the Virtualbox installer according to your Host OS https://www.virtualbox.org/wiki/Downloads [A'chive.org] 


>> (Skip this if you cannot use Tor natively or through a VPN) The latest Whonix OVA file from https://www.whonix.org/wiki/Download 
[Archive.org] according to your preference (Linux/Windows, with a Desktop interface XFCE for simplicity or only with the text-client for 
advanced users) 
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Virtualbox Hardening recommendations: 


For ideal security, you should follow the recommendations provided here for each Virtualbox Virtual Machine 


httos://www.whonix.org/wiki/Virtualization_ Platform _Security#VirtualBox_Hardening [Archive.org] . 
=a D)I-y-10)(- Waele (op 
>> Do not enable Shared Folders. 
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>> Do not enable the Serial Port. 

==> Remove the Floppy drive. 

>> Remove the CD/DVD drive. 

>> Do not enable the Remote Display server. 


==> Enable PAE/NX (NX is a security feature). 
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"vm-id" --acpi on|off 


>> Do not attach USB devices. 
>> Disable the USB controller which is enabled by default. Set the Pointing Device to “PS/2 Mouse” or changes will revert. 
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https://www.whonix.org/wiki/Network_Time_Synchronization#Spoof_the_Initial_ Virtual_ Hardware Clock Offset Archive.org] 


This offset should be within a 60000-millisecond range and should be different for each VM and here are some examples (which can be later 
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>> VBoxManage modifyvm "Whonix-Gateway-XFCE" --biossystemtimeoffset -35017 
>> VBoxManage modifyvm "Whonix-Gateway-XFCE" --biossystemtimeoffset +27931 
==> VBoxManage modifyvm "Whonix-Workstation-XFCE" --biossystemtimeoffset -35017 


>> VBoxManage modifyvm "Whonix-Workstation-XFCE" --biossystemtimeoffset +27931 
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the VirtualBox Program Directory. All of these are described here: https://www.whonix.org/wiki/Spectre_Meltdown [A'chive.org] (be aware these 
can impact severely the performance of your VMs but should be done for best security). 


Finally, consider the security advice from Virtualbox themselves here https://www.virtualbox.org/manual/ch13.html [Archive.org] 


Tor over VPN: 
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If you intend to use Tor over VPN for any reason. You first must configure a VPN service on your host OS. 


Remember that in this case, | recommend having two VPN accounts. Both paid with cash/Monero (see Appendix O: Getting an anonymous 
VPN/Proxy). One will be used in the Host OS for the first VPN connection. The other could be used in the VM to achieve VPN over Tor over 
VPN (User > VPN > Tor > VPN). 


If you intend to only use Tor over VPN, you only need one VPN account. 
See Appendix R: Installing a VPN on your VM or Host OS for instructions. 


whonix Virtual Machines: 


Skip this step if you cannot use Tor. 


>> Start Virtualbox on your Host OS. 


>> Import Whonix file Into Virtualbox following the instructions on https:/Awww.whonix.org/wiki/VirtualBox/XFCE [Archive.org] 
>> Start the Whonix VMs 


Remember at this stage that if you are having issues connecting to Tor due to censorship or blocking, you should consider connecting using 


Bridges as explained in this tutorial https://www.whonix.org/wiki/Bridges A”chive.org], 
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https://www.whonix.org/wiki/Operating_System_Software_and_Updates#Updates [A’chive.org] 


>> Shutdown the Whonix VMs 
>> Take a snapshot of the updated Whonix VMs within Virtualbox (select a VM and click the Take Snapshot button). More on that later. 


>> Go to the next step 


Important Note: You should also read these very good recommendations over there https://www.whonix.org/wiki/DoNot A'chive.org] 
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https://www.whonix.org/wiki/Documentation A'°"'ve-o'S] which will also provide tons of advice like this guide. 


Pick your guest workstation Virtual Machine: 


Using Whonix/Linux will require more skills on your side as these are Linux distributions. You will also encounter more difficulties if you intend 
to use specific software that might be harder to use on Whonix/Linux. Setting up a VPN over Tor on Whonix will also be more complicated 
than on Windows as well. 


If you can use Tor: 
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recommended) or from a Custom VM that will use the Whonix Gateway like the Whonix Workstation (less secure but might be required 
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If you cannot use Tor: 


If you cannot use Tor, you can use a Custom VM of your choice that will ideally use an anonymous VPN, if possible, to then connect to the 
Tor network. Or you could go with the risky route: See Appendix P: Accessing the internet as safely as possible when Tor and VPNs are not 
Fame) e)iteyal 


Linux Virtual Machine (whonix or Linux): 
Whonix workstation (recommended and preferred): 


Skip this step if you cannot use Tor. 


Just use the provided Whonix Workstation VM. It is the safest and most secure way to go on this route. 


It is also the only VM that will provide Stream Isolation pre-configured for most apps by default°°". 


If you want additional software on the Workstation (such as another Browser), follow their guide here 


https://www.whonix.org/wiki/Install_ Software [Archive.org] 


Consider running Whonix in Live Mode if for extra malware protection, See https://www.whonix.org/wiki/Anti-Forensics_ Precautions 
[Archive.org] 
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Consider using AppArmor on your Whonix Workstations by following this guide: https://www.whonix.org/wiki/AppArmor [Archive.org] 


Linux Cany distro): 
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other) could be used to fingerprint your VMs later. See https://www.whonix.org/wiki/VM_Fingerprinting 4°"'ve-0'9] 
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Use the Linux Distro of your choice. | would recommend Ubuntu or Fedora for convenience but any other would work too. Be sure to not 
enable any telemetry. 


Refer to this tutorial https://www.whonix.org/wiki/Other_Operating Systems A'n've.org] for detailed instructions. 
Consider hardening the VM as recommended in Hardening Linux. 
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Use the Linux Distro of your choice. | would recommend Ubuntu or Fedora for convenience but any other would work too. Be sure to not 
enable any telemetry. You could go with the risky route: See Appendix P: Accessing the internet as safely as possible when Tor and VPNs 
are not an option 


CHOOSE A BROWSER WITHIN THE VM: 
This time, | will recommend Brave browser. 
See why here: Appendix V: What browser to use in your Guest VM/Disposable VM 


See Appendix V1: Hardening your Browsers as well. 


Windows 10 Virtual Machine: 
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other) could be used to fingerprint your VMs later. See https://www.whonix.org/wiki/VM_Fingerprinting 4’°"'ve-0'9! 


windows 10 ISO download: 


Go with the Official Windows 10 Pro VM and harden it yourself: see Appendix C: Windows Installation Media Creation and go with the ISO 
route. 


There is also another option you might hear about which is Windows AME (Ameliorated) from the https://ameliorated.info/ !A'C"'ve-0'9] project 
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If you can use Tor (natively or over a VPN): 


Refer to this tutorial https://www.whonix.org/wiki/Other_Operating Systems A'cn've.org] for detailed instructions. 


INSTALL: 
>> Shut down the Whonix Gateway VM (this will prevent Windows from sending out telemetry and allow you to create a local account). 
>> Open Virtualbox 


>> Select Machine > New > Select Windows 10 64bit 





>> Allocate a minimum amount of 2048MB but ideally 4096MB if your Ram allows it 

>> Create a Virtual Disk using the VDI format and select Dynamically Allocated 
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>> Select the VM and click Settings, Go into the Network Tab 

>> Select “Internal Network” in the “Attached to” Field and select Whonix. 

>> Go into the Storage Tab, Select the Empty CD and click the icon next to SATA Port 1 
>> Click on “Choose a disk file” and select the Windows ISO you previously downloaded 
=> Click ok and start the VM 

>> Virtualbox will prompt you to select a Starting disk (the ISO file), select it, and click Start 
==> Follow the steps in Appendix A: Windows Installation 


>> Start the Whonix Gateway VM 


NETWORK SETTINGS: 

>> Go back into Settings then Network & Internet 

>> Click Properties (Below Ethernet) 

>> Edit IP settings: 

>> Enable IPv4 and set the following: 
>> IP address 10.152.152.50 (increase this IP by one for any other VM) 
>> Subnet prefix length 18 (255.255.192.0) 
>> Gateway 10.152.152.10 (this is the Whonix Gateway) 
>> DNS 180.152.152.180 (this is again the Whonix Gateway) 
>> Save 

>> Windows might prompt you if you want to be “discoverable” on this network. Click NO. 
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the VM is powered off. 


If you cannot use Tor: 


See Appendix P: Accessing the internet as safely as possible when Tor and VPNs are not an option 


INSTALL: 
>> Open Virtualbox 
>> Select Machine > New > Select Windows 10 64bit 
>> Allocate a minimum amount of 2048MB but ideally 4096MB if your Ram allows it 
>> Create a Virtual Disk using the VDI format and select Dynamically Allocated 
>> Keep the disk size at 50GB (this is a maximum; it should not reach that much) 
>> Go into the Storage Tab, Select the Empty CD and click the icon next to SATA Port 1 
>> Click on “Choose a disk file” and select the Windows ISO you previously downloaded 
>> Click ok and start the VM 
>> Virtualbox will prompt you to select a Starting disk (the ISO file), select it, and click Start 


>> Follow the steps in Appendix A: Windows Installation 
NETWORK SETTINGS: 


>> Windows will prompt you if you want to be “discoverable” on this network. Click NO. 
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the VM is powered off. 


Choose a browser within the VM: 


This time, | will recommend Brave browser. 





See why here: Appendix V: What browser to use in your Guest VM/Disposable VM 


See Appendix V1: Hardening your Browsers as well. 


Additional Privacy settings in Windows 10: 


See Appendix B: Windows Additional Privacy Settings 


Android Virtual Machine: 


Because sometimes you want to run mobile Apps anonymously too. You can also set up an Android VM for this purpose. As in other cases, 
ideally, this VM will also be sitting behind the Whonix Gateway for Tor network connectivity. But this can also be set up as VPN over Tor over 
VPN 


If you can use Tor (natively or over a VPN): 


Later in the VM settings during creation, go into Network and select Internal Network, Whonix. 
Nial-Jame)awavalelce)(om ie\-)1 
>> Select Wi-Fi 
>> Select VirtWifi to connect 
>> Go into the advanced Wi-Fi properties 
>> Switch from DHCP to Static 
>> IP address 10.152.152.50 (increase this IP by one for any other VM) 
>> Subnet prefix length 18 (255.255.192.@) 
>> Gateway 10.152.152.10 (this is the Whonix Gateway) 


>> DNS 108.152.152.180 (this is again the Whonix Gateway) 


If you cannot use Tor: 


Just use the tutorials as is and see Appendix P: Accessing the internet as safely as possible when Tor and VPNs are not an option 
Installation: 


Two possibilities: AnBox or Android-x86 
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ANDROID-X86: 
Basically, follow the tutorial here: https://www.android-x86.org/documentation/virtualbox.html [Archive.org] 
>> Download the ISO file of your choice 
>> Create a New VM. 
>> Select Linux and Linux 2.6 / 3.x / 4.x 64 Bit. 
>> In System: 
>> Allocate at least 2048MB (2GB) memory 
>> Uncheck the Floppy drive 
>> In the Processor Tab, select at least 1 or more CPUs 
>> Enable PAE/NX 
>> In Display Settings, Change the adapter to VBoxVGA 
==> In Audio Settings, Change to Intel HD Audio 
>> Start the VM 
>> Select Advanced if you want persistence, Live if you want a disposable Boot (and skip the next steps). 
>> Select Auto Install on Selected Hard Disk 
>> Select Run Android 


>> Set up as you wish (disable all prompts for data collections). | recommend using the TaskBar Home. 





>> Go into Settings, Android-x86 Options, and disable all collections. 
>> Connect to VirtWifi Wi-Fi Network (see the above section if you are behind Whonix and want to use Tor) 
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macOS Virtual Machine: 


Yes, you can actually run macOS within Virtualbox (on Windows/Linux/macOS host systems) if you want to use macOS. You can run any 
version of macOS you want. 


If you can use Tor (natively or over a VPN): 


During the following tutorials, before starting the macOS VM, make sure you do put the macOS VMs on the Whonix Network. 
>> Select the VM and click Settings, Go into the Network Tab 
>> Select “Internal Network” in the “Attached to” Field and select Whonix 
Afterward, and during the install, you will need to input an IP address manually to connect through the Whonix Gateway. 
Use these settings when prompted in the macOS installation process: 
=> IP address 100.152.152.560 (increase this IP by one for any other VM) 
>> Subnet prefix length 18 (255.255.192.@) 
>> Gateway 10.152.152.10 (this is the Whonix Gateway) 


>> DNS 10@.152.152.10 (this is again the Whonix Gateway) 
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Just use the tutorials as is and see Appendix P: Accessing the internet as safely as possible when Tor and VPNs are not an option 


Installation: 

>> Windows Host OS: 
>> Virtualbox Catalina Tutorial: https://www.wikigain.com/install-macos-catalina-on-virtualbox-on-windows/ [Archive.org] 
>> Virtualbox Big Sur Tutorial: https://www.wikigain.com/how-to-install-macos-big-sur-on-virtualbox-on-windows-pc/ [Archive.org] 
>> Virtualbox Monterey Tutorial: https://www.wikigain.com/install-macos-monterey-on-virtualbox/ !Archive.org] 

>> macOS Host OS: 
>> Just use the same tutorials as above but execute the various commands in the terminal. It should work without issue. 

>> Linux Host OS: 
>> Just use the same tutorials as above but execute the various commands in the terminal. It should work without issue. 


There are some drawbacks to running macOS on Virtual Machines. The main one is that they do not have a serial number (0 by default) and 
you will be unable to log in to any Apple-provided service (iCloud, iMessage...) without a genuine ID. You can set such IDs using this script: 


https://github.com/myspaghetti/macos-virtualbox ['Ch've.org] byt keep in mind that randomly generated IDs will not work and using the ID of 
someone else will break their Terms of Services and could count as impersonation (and therefore could be illegal). 


Note: | also ran in multiple issues with running these on AMD processors. This can be fixed so here is the configuration | used which worked 
fine with Catalina, Big Sur and Monterey which will tell Virtualbox to emulate an Intel Processor instead: 


>> VBoxManage modifyvm "“macOSCatalina" ---cpuidset @0000001 900106e5 90100800 Q@098e3fd bfebfbfFf 


=> VBoxManage setextradata "“macOSCatalina" "VBoxInternal/Devices/efi/@/Config/DmiSystemProduct" 
"MacBookPro15, 1" 


>> VBoxManage setextradata "“macOSCatalina" "VBoxInternal/Devices/efi/0@/Config/DmiBoardProduct" "Mac- 
551B86E5744E2388" 


>> VBoxManage setextradata "“macOSCatalina" "VBoxInternal/Devices/smc/@/Config/DeviceKey" 


"ourhardworkbythesewordsguardedpleasedontsteal(c)AppleComputerInc" 
>> VBoxManage setextradata "“macOSCatalina" "VBoxInternal/Devices/smc/0@/Config/GetKeyFromRealSMC" 1 
==> VBoxManage modifyvm "macOSCatalina" --cpu-profile "Intel Core i7-67@0K" 


==> VBoxManage setextradata "macOSCatalina" VBoxInternal2/EfiGraphicsResolution 1920x1080 


Hardening macos: 


Refer to Hardening macOS. 


Choose a browser within the VM: 





This time, | will recommend Brave browser. 
See why here: Appendix V: What browser to use in your Guest VM/Disposable VM 
See Appendix V1: Hardening your Browsers as well. 


KeepassxC: 


You will need something to store your data (logins/passwords, identities, and TOTP%82 Taice)aaat=ieyapF 


For this purpose, | strongly recommend KeePassXC because of its integrated TOTP feature. This is the ability to create entries for 2FA%? 
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Remember this should ideally be installed on your Guest VM and not on your Host OS. You should never do any sensitive activities from your 
Host OS. 


Here are the tutorials: 
>> Tails: KeePassXC is integrated by default 
>> Whonix: https://www.whonix.org/wiki/Keepassxc [Archive.org] 
>> Linux: 
>> Download from https://keepassxc.org/download/ Archive.org] 
>> Follow the tutorial here https://keepassxc.org/docs/KeePassXC_GettingStarted.html#_linux Archive.org] 
>> Windows: 
>> Download from https://keepassxc.org/download/ |Archive.org] 
>> Follow the tutorial here https://KeePassXC.org/docs/KeePassXC_GettingStarted.html#_microsoft_windows [A'chive.org] 
>> macOs: 
>> Download from https://keepassxc.org/download/ [Atchive.org] 
>> Follow the tutorial here https://keepassxc.org/docs/KeePassXC_GettingStarted.html#_macos [Archive.org] 
Test that KeePassXC is working before going to the next step. 


VPN client installation (Ccash/Monero paid): 
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If you cannot use a VPN at all in a hostile environment, skip this step. 

Otherwise, see Appendix R: Installing a VPN on your VM or Host OS to install a VPN client on your client VM. 
This should conclude the Route and you should now be ready. 


About VPN Client Data Mining/Leaks: 


You might be asking yourself if those VPN clients are trustworthy not to leak any information about your local environment to the VPN 
provider when using them in the “VPN over Tor” context. 


This is a valid concern but should be taken with a grain of salt. 


Remember that all VPN activities are happening from a sandboxed VM on an internal network behind a Network Gateway (the Whonix 
Gateway). It does not matter much if the VPN client leaves some identifiers on your guest VM. The guest VM is still sandboxed and walled-off 
from the Host OS. The attack surface is IMHO pretty small especially when using the reputable and recommended VPN providers within the 
guides (iVPN, Mullvad, ProtonVPN, and maybe Safing.io). 
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Host OS. And in theory, the VPN client should not send any telemetry back to the VPN provider. If your VPN client does this or asks this, you 
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(Optional) Allowing only the VMs to access the internet while cutting off the Host OS to prevent 
any leak: 


This step will allow you to configure your Host OS so that only the Whonix Gateway VM will have access to the internet. This will therefore 
prevent any “leak” from your Host OS while letting the Whonix Gateway establish the tor connectivity. The other VMs (Whonix Workstation or 
any other VM you installed behind it will not be affected) 


There are three ways to do this: 


>> The Lazy Way (not really recommended): not supported by Whonix and might have some security implications as you will expose the 
Whonix Gateway VM to the Public Wi-Fi network. | would recommend against this unless you are in a hurry or very lazy. 
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>> The Better Way (see further down): still not supported by Whonix but it will not expose the Whonix Gateway VM to the Public Wi-Fi 
network. This should keep things in check in terms of security. 


>> The Best Way: Using an external USB Wi-Fi dongle and just disabling Wi-Fi on the Host OS/Computer. 


The Lazy way (not supported by whonix but it will work if you are in a hurry, see further for the better way): 
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Host OS from leaking any information while you are using the Whonix VMs. 
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access). 


The illustration below shows the result of this step: 


Whonix Gateway VM 





CONFIGURATION OF THE WHONIX GATEWAY VM: 


For this to work, we will need to change some configurations on the Whonix Gateway VM. We will need to add a DHCP client to the Whonix 
Gateway to receive IP addresses from the network. To do those changes the Host OS will still have to have internet access allowed for now. 


So here is how: 
>> Be sure to have your Host OS connected to a safe Wi-Fi. 
>> Through VirtualBox, start the Whonix Gateway VM 
>> Start a Terminal on the VM 
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>= sudo apt install dhcpcd5 
a NO) WVA=X0||@a{=M'A ale) alp.@ler=1icn)\ c= NAMVAlY MalsiAN\(0)s @rere)a lie [6 |e-lice)amers)/alemealomce)i(e\ Viale mere) aalaat-lalep 
>> sudo nano /etc/network/interfaces.d/30 non-qubes-whonix 
mal lialiamiarcmil(smeiar-lale(smsal>mie)i (edi larem llalctoe 
>> # auto eth@ to auto etha 
>> # iface ethO inet dhcp toiface ethO@ inet dhcp 
=> iface eth@ inet staticito# iface eth@ inet static 
>> address 10.0.2.15 to # address 10.0.2.15 
== netmask 255.255.255.0\t0 # netmask 255.255.255.0 
>> gateway 10.0.2.2to# gateway 10.0.2.2 
>> Save (using Ctrl+X and confirm with Y) and power off the VM from the top left menu 
>> Go into the VirtualBox Application and select the Whonix Gateway VM 
>> Click Settings 


>> Click the Network Tab 





>> For Adapter 1, change the “Attached To” value from “NAT” to “Bridged Adapter” 
>> As “Name’, select your Wi-Fi network Adapter 
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CONFIGURATION OF THE HOST OS: 


Now we must block internet access from your Host OS while still allowing the VM to connect. This will be done by connecting to Wi-Fi with 
the Host OS but without assigning itself an IP address. The VM will then use your Wi-fi association to get an IP address. 


WINDOWS HOST OS: 


The goal here is to associate with a Wi-Fi network without having an internet connection. We will achieve this by deleting the Gateway from 
the connection after you are connected: 


>> First, connect to the safe Wi-Fi of your choice 
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>> Run the following command: route delete 0.8.0.8 (this deletes the Gateway from your IP configuration) 
>> You are done, your Host OS will now be unable to access the internet while still connected to the Wi-Fi 


>> Note that this will reset at each disconnect/reconnection to a network, and you will have to delete the route again. This is not 
permanent. 


=> You can now start the Whonix Gateway VM which should now obtain an IP automatically from the Wi-Fi network and should provide 
Network to the other VMs behind (Whonix Workstation or other). 


>> And finally, after that, you can start the Whonix Workstation VM (or any other VM you configured to work behind the Whonix Gateway 
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LINUX HOST OS: 


The goal here is to associate with a Wi-Fi network without having an internet connection. We will achieve this by deleting the Gateway from 
the connection after you are connected: 


>> First, connect to the safe Wi-Fi of your choice 

>> Open a Terminal 

>> Run the following command: sudo ip route del default (this deletes the Gateway from your IP configuration) 
>> You are done, your Host OS will now be unable to access the internet while still connected to the Wi-Fi 


>> Note that this will reset at each disconnect/reconnection to a network, and you will have to delete the route again. This is not 
permanent. 


>> You can now start the Whonix Gateway VM which should now obtain an IP automatically from the Wi-Fi network and should provide 
Network to the other VMs behind (Whonix Workstation or other). 


>> And finally, after that, you can start the Whonix Workstation VM (or any other VM you configured to work behind the Whonix Gateway 
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MACOS HOST OS: 


The goal here is to associate with a Wi-Fi network without having an internet connection. We will achieve this by deleting the Gateway from 
the connection after you are connected: 


>> First, connect to the safe Wi-Fi of your choice 

>> Open a Terminal 

==> Run the following command: sudo route delete default (this deletes the Gateway from your IP configuration) 
>> You are done, your Host OS will now be unable to access the internet while still connected to the Wi-Fi 


>> Note that this will reset at each disconnect/reconnection to a network, and you will have to delete the route again. This is not 
permanent. 


>> You can now start the Whonix Gateway VM which should now obtain an IP automatically from the Wi-Fi network and should provide 
Network to the other VMs behind (Whonix Workstation or other). 


>> And finally, after that, you can start the Whonix Workstation VM (or any other VM you configured to work behind the Whonix Gateway 
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The Better Way Crecommended) : 


This way will not go against Whonix recommendations (as it will not expose the Whonix Gateway to the Host OS) and will have the 
advantage of allowing connections not only to open Wi-Fis but also to the ones with a Captive Portal where you need to enter some 
information to access the internet. 





Yet this will still not be supported by the Whonix project, but it is fine as the main concern for the earlier Lazy Way is to have the Whonix 
Gateway VM exposed to the Host Network, and it will not be the case here. 


This option will require an additional VM between the Host OS and the Whonix Gateway to act as a Network Bridge. 


For this purpose, | will recommend the use of a lightweight Linux Distro. Any will do but the easiest IMHO will be an Ubuntu-based distro and 
| would recommend the lightweight XUbuntu as it will be extremely easy to configure this setup. 


Why XUbuntu and not Ubuntu or KUbuntu? Because XUbuntu uses an XFCE desktop environment which is lightweight and this VM will only 
serve as a proxy and nothing else. 


Of course, you can also achieve this with any other Linux distro if you so decide you do not like XUbuntu. 
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INSTALLING XUBUNTU VM: 
Make sure you are connected to a safe Wi-Fi for this operation. 
First, you will need to download the latest XUbuntu Stable release ISO from https://xubuntu.org/download/ 
When you are done with the download, it is time to create a new VM: 
>> Start VirtualBox Manager 
>> Create a new VM and name it as you want, for example, “XUbuntu Bridge” 
>> Select type “Linux” 
>> Select Version “Ubuntu (64-bit)” 
>> Leave other options to default and click Create 
>> On the next screen, leave the default options and click Create 
>> Select the newly create VM and click Settings 
>> Select Network 
>> For Adapter 1, Switch to Bridged Mode and pick your Wi-Fi adapter in the Name 
>> Select Adapter 2 and enable it 
>> Attach it to “Internal Network” and name it “XUbuntu Bridge” 
Mey =)(216) Ms) (0) F-10[>) 
>> Select the Empty CD drive 
>> On the right side, click the CD icon and select “Choose a disk file” 
>> Select the ISO of XUbuntu you previously downloaded and Click Ok 
>> Start the VM 
>> Select Start XUbuntu 


>> Select Install XUbuntu 





>> Pick your Keyboard Layout and click Continue 

>> Select Minimal Installation and Download Updates while installing XUbuntu 

>> Select Erase Disk and install XUbuntu and click Install Now 

>> Select the Time Zone of your choice and click Continue 

>> Pick some random names unrelated to you (my favorite username is “NoSuchAccount”) 
==> Pick a password and require a password to login 

>> Click Continue and wait for the install to finish and Restart 

==> When you are done rebooting, log-in 

>> Click the upper right connection icon (it looks like two rotating spheres) 
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>> Select Wired Connection 2 (Adapter 2 previously configured in VirtualBox settings) 
>> Select the IPv4 Tab 

==> Change the Method to “Shared to other computers” and click Save 


==> You are now done setting up the XUbuntu Bridge VM 


CONFIGURING THE WHONIX GATEWAY VM: 
By default, the Whonix Gateway has no DHCP client and will require one to get an IP from a shared network you configured earlier: 
>> Through VirtualBox, start the Whonix Gateway VM 
>> Start a Terminal on the VM 
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>> sudo apt install dhcpcd5 
>> Now edit the Whonix Gateway VM network configuration using the following command: 
>> sudo nano /etc/network/interfaces.d/3@ non-qubes-whonix 
me’ A/ivaliamealomil(-mevatslale (om ial-mie)i(e\ Viale milal=soe 
>> # auto eth@ to auto ethde 
>> # iface eth@ inet dhcp toiface eth@ inet dhcp 
>> iface eth@ inet static to# iface eth@ inet static 
>> address 10.0.2.15to# address 10.0.2.15 
==> netmask 255.255.255.@to # netmask 255.255.255.0 
>> gateway 10.0.2.2to# gateway 10.0.2.2 
>> Save (using Ctrl+X and confirm with Y) and power off the VM from the top left menu 
>> Go into the VirtualBox Application and select the Whonix Gateway VM 
>> Click Settings 
>> Click the Network Tab 
>> For Adapter 1, change the “Attached To” value from “NAT” to “Internal Network” 
>> As “Name’, select the internal network “XUbuntu Bridge” you created earlier and click OK 
>> Reboot the Whonix Gateway VM 
>> From the upper left menu, select System, Tor Control Panel, and check that you are connected (you should be) 


>> You are done configuring the Whonix Gateway VM 


CONFIGURATION OF THE HOST OS: 


Now we must block internet access from your Host OS while still allowing the XUbuntu Bridge VM to connect. This will be done by connecting 
to Wi-Fi with the Host OS but without assigning itself a gateway address. The VM will then use your Wi-fi association to get an IP address. 


If necessary, from the XUbuntu Bridge VM, you will be able to launch a Browser to enter information into any captive/registration portal on the 
Wi-Fi network. 


Only the XUbuntu Bridge VM should be able to access the internet. The Host OS will be limited to local traffic only. 


WINDOWS HOST OS: 





The goal here is to associate with a Wi-Fi network without having an internet connection. We will achieve this by deleting the Gateway from 
the connection after you are connected: 


>> First, connect to the safe Wi-Fi of your choice 
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>> Run the following command: route delete 0.8.0.8 (this deletes the Gateway from your IP configuration) 
>> You are done, your Host OS will now be unable to access the internet while still connected to the Wi-Fi 


>> Note that this will reset at each disconnect/reconnection to a network, and you will have to delete the route again. This is not 
permanent. 


>> You can now start the XUbuntu Bridge VM which should now obtain an IP automatically from the Wi-Fi network and should provide 
Network to the other VMs behind (Whonix Workstation or other). 


>> If necessary, you can use the XUbuntu Bridge VM Browser to fill in any information on any captive/registration portal to access the Wi- 
fale 


>> After that, you can start the Whonix Gateway VM which should obtain the Internet Connection from the XUbuntu Bridge VM. 


>> And finally, after that, you can start the Whonix Workstation VM (or any other VM you configured to work behind the Whonix Gateway 
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LINUX HOST OS: 


The goal here is to associate with a Wi-Fi network without having an internet connection. We will achieve this by deleting the Gateway from 
the connection after you are connected: 


>> First, connect to the safe Wi-Fi of your choice 

>> Open a Terminal 

>> Run the following command: sudo ip route del default (this deletes the Gateway from your IP configuration) 
>> You are done, your Host OS will now be unable to access the internet while still connected to the Wi-Fi 


>> Note that this will reset at each disconnect/reconnection to a network, and you will have to delete the route again. This is not 
permanent. 


>> You can now start the XUbuntu Bridge VM which should now obtain an IP automatically from the Wi-Fi network and should provide 
Network to the other VMs behind (Whonix Workstation or other). 


>> If necessary, you can use the XUbuntu Bridge VM Browser to fill in any information on any captive/registration portal to access the Wi- 
Pls 


>> After that, you can start the Whonix Gateway VM which should obtain the Internet Connection from the XUbuntu Bridge VM. 


>> And finally, after that, you can start the Whonix Workstation VM (or any other VM you configured to work behind the Whonix Gateway 
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MACOS HOST OS: 


The goal here is to associate with a Wi-Fi network without having an internet connection. We will achieve this by deleting the Gateway from 
the connection after you are connected: 


>> First, connect to the safe Wi-Fi of your choice 

==> Open a Terminal 

==> Run the following command: sudo route delete default (this deletes the Gateway from your IP configuration) 
>> You are done, your Host OS will now be unable to access the internet while still connected to the Wi-Fi 


>> Note that this will reset at each disconnect/reconnection to a network, and you will have to delete the route again. This is not 
permanent. 


=> You can now start the XUbuntu Bridge VM which should now obtain an IP automatically from the Wi-Fi network and should provide 
Network to the other VMs behind (Whonix Workstation or other). 


>> If necessary, you can use the XUbuntu Bridge VM Browser to fill in any information on any captive/registration portal to access the Wi- 
Fle 
>> After that, you can start the Whonix Gateway VM which should obtain the Internet Connection from the XUbuntu Bridge VM. 


>> And finally, after that, you can start the Whonix Workstation VM (or any other VM you configured to work behind the Whonix Gateway 
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The best way: 
This way will not go against Whonix recommendations (as it will not expose the Whonix Gateway to the Host OS) and will have the 
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information to access the internet. Yet this will still not be supported by the Whonix project, but it is fine as the main concern for the earlier 





Lazy Way is to have the Whonix Gateway VM exposed to the Host Network, and it will not be the case here. This option is the best because 
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This option will require an additional VM between the Host OS and the Whonix Gateway to act as a Network Bridge and to connect to the Wi- 
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For this purpose, | will recommend the use of a lightweight Linux Distro. Any will do but the easiest IMHO will be an Ubuntu-based distro and 
| would recommend the lightweight XUbuntu as it will be extremely easy to configure this setup. 


Why XUbuntu and not Ubuntu or KUbuntu? Because XUbuntu uses an XFCE desktop environment which is lightweight and this VM will only 
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Of course, you can also achieve this with any other Linux distro if you so decide you do not like XUbuntu. 
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CONFIGURATION OF THE HOST OS: 
==> Disable Networking on your Host OS completely (Turn off the on-board Wi-Fi completely) 


>> Plug in and install your USB Wi-Fi Dongle. Connect it to a safe Public Wi-Fi. This should be easy and automatically installed by any 
recent OS (Windows 10, macOS, Linux). 


CONFIGURING THE WHONIX GATEWAY VM: 


By default, the Whonix Gateway has no DHCP client and will require one to get an IP from a shared network you will configure later, on a 
Bridge VM: 


>> Through VirtualBox, start the Whonix Gateway VM 
>> Start a Terminal on the VM 
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>> sudo apt install dhcpcd5 
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>> sudo nano /etc/network/interfaces.d/3@ non-qubes-whonix 
me Aivaliamealomil(-mevatslale(>mial-mie)ie\iUiare milalssse 
=> # auto eth@ to auto etha 
>> # iface eth@ inet dhcp toiface eth@ inet dhcp 
22 iface eth@ inet static|to}# iface ethO® inet static 
==> address 10.0.2.15 to# address 10.0.2.15 
==> netmask 255.255.255.@to# netmask 255.255.255.0 
>> gateway 10.0.2.2to# gateway 10.0.2.2 


>> Save (using Ctrl+X and confirm with Y) and power off the VM from the top left menu 


INSTALLING XUBUNTU VM: 


Make sure you are connected to a safe Wi-Fi for this operation. 





First, you will need to download the latest XUbuntu Stable release ISO from https://xubuntu.org/download/ 
When you are done with the download, it is time to create a new VM: 

>> Disconnect your host OS from the Wi-Fi you previously connected to with the dongle and forget the network. 

>> Start VirtualBox Manager 

>> Create anew VM and name it as you want, for example, “XUbuntu Bridge” 

>> Select type “Linux” 

>> Select Version “Ubuntu (64-bit)” 

>> Leave other options to default and click Create 

>> On the next screen, leave the default options and click Create 

=> Select the newly create VM and click Settings 

>> Select Network 

==> For Adapter 1, Attach it to “Internal Network” and name it “XUbuntu Bridge” 

>> Select Storage 

>> Select the Empty CD drive 

>> On the right side, click the CD icon and select “Choose a disk file” 

>> Select the ISO of XUbuntu you previously downloaded and Click Ok 

>> Select the USB Tab 

>> On the right side, click the USB icon with a + sign (the second from the top) 

>> Select the Wi-Fi Adapter Dongle from the list and make sure it is checked (leave the USB options to default) 

>> Start the VM 

>> Select Start XUbuntu 
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>> Pick your Keyboard Layout and click Continue 
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>> Select Erase Disk and install XUbuntu and click Install Now 

>> Select the Time Zone of your choice and click Continue 

>> Pick some random names unrelated to you (my favorite username is “NoSuchAccount”) 

=> Pick a password and require a password to login 

>> Click Continue and wait for the install to finish and Restart 

==> When you are done rebooting, log-in 

>> Click the upper right connection icon (it looks like two rotating spheres) 
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>> Select Wired Connection 1 (normally there should only be one) 

>> Select the IPv4 Tab 

==> Change the Method to “Shared to other computers” and click Save 
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>> Connect to the safe Wi-Fi of your choice and if necessary, input the necessary information into a Captive Portal. 

==> You are now done setting up the XUbuntu Bridge VM 


At this stage, your Host OS should have no network at all and your XUbuntu VM should have a fully working Wi-Fi connection and this Wi-Fi 
connection will be shared to the Internal Network “XUbuntu Bridge’. 
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Now it is time to configure the Whonix Gateway VM to get access from the shared network from the bridge VM we just made on the earlier 
step: 


>> Go into the VirtualBox Application and select the Whonix Gateway VM 





>> Click Settings 

>> Click the Network Tab 

>> For Adapter 1, change the “Attached To” value from “NAT” to “Internal Network” 

>> As “Name’, select the internal network “XUbuntu Bridge” you created earlier and click OK 

>> Reboot the Whonix Gateway VM 

>> From the upper left menu, select System, Tor Control Panel, and check that you are connected (you should be) 
>> You are done configuring the Whonix Gateway VM 


At this stage, your Whonix Gateway VM should be getting internet access from the XUbuntu Bridge VM which in turn is getting internet 
access from the Wi-Fi Dongle and sharing it. Your Host OS should have no network connectivity at all. 
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Final step: 


Take a post-install VirtualBox snapshot of your VMs. 
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The Qubes Route: 


Note that while this route is written for Qubes OS 4.0.x, it should also work with Qubes OS 4.1.x but it hasn’t been tested yet. The 
guide will be updated when Qubes OS 4.1 is released (now at the Release Candidate 3 stage as of this writing). 


As they say on their website, Qubes OS is a reasonably secure, free, open-source, and security-oriented operating system for single-user 
desktop computing. Qubes OS leverages and extensively uses Xen-based virtualization to allow for the creation and management of isolated 
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Qubes OS is not a Linux distribution®©° but a Xen distribution. It is different from Linux distributions because it will make extensive use of 
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default and allows for increased privacy and anonymity. It is highly recommended that you document yourself over Qubes OS principles 
before going this route. Here are some recommended resources: 


>> Qubes OS Introduction, https://www.qubes-os.org/intro/ Archive.org] 
>> Qubes OS Video Tours, https://www.qubes-os.org/video-tours/ Archive.org] 


>> Qubes OS Getting Started, https://www.qubes-os.org/doc/getting-started/ Archive.org] 


>> YouTube, Life Behind the Tinfoil: A Look at Qubes and Copperhead - Konstantin Ryabitsev, The Linux Foundation 
https://www.youtube.com/watch?v=8cU4hQg6GvU l!nvidious] 


>> YouTube, | used the reasonably-secure Qubes OS for 6 months and survived - Matty McFatty [@themattymcfatty] 
https://www.youtube.com/watch?v=sbN5Bz3v-uA L!nvidious] 


>> YouTube, Qubes OS: How it works, and a demo of this VM-centric OS https://www.youtube.com/watch?v=Y PAvoFsvSbg !!nvidious] 
This OS is recommended by prominent figures such as Edward Snowden, PrivacyGuides.org. 
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as the lack of OS-wide plausible deniability, its hardware requirements, and its hardware compatibility. While you can run this on 4GB of RAM 
as per their requirements°©°, the recommended RAM is 16GB. | would recommend against using Qubes OS if you have less than 8GB of 


RAM. If you want a comfortable experience, you should have 16GB, if you want a particularly enjoyable experience, you should have 24GB 
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The reason for this RAM requirement is that each app will run in a different VM and each of those VM will require and allocate a certain 
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overhead will be significant. 


You should also check their hardware compatibility here https://www.qubes-os.org/hcl/ !A"chve.org] before proceeding. Your mileage might 
vary, and you might experience several issues about hardware compatibility that you will have to troubleshoot and solve yourself. 
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terms of security and privacy. The only disadvantage of this route is that it does not provide a way to enable OS-wide plausible deniability2?/, 
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Pick your connectivity method: 


There are seven possibilities within this route: 


>> Recommended and preferred: 
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>> Use VPN over Tor (User > Tor > VPN > Internet) in specific cases 

>> Use a VPS with a self-hosted VPN/Proxy over Tor (User > Tor > Self-Hosted VPN/Proxy > Internet) in specific cases 
>> Possible if required by context: 

>> Use VPN over Tor over VPN (User > VPN > Tor > VPN > Internet) 

>> Use Tor over VPN (User > VPN > Tor > Internet) 
>> Not recommended and risky: 

>> Use VPN alone (User > VPN > Internet) 

>> Use VPN over VPN (User > VPN > VPN > Internet) 
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=> No VPN and no Tor (User > Internet) 





Tor only: 


This is the preferred and most recommended solution. 
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section. 


VPN/Proxy over Tor: 


This solution can bring some benefits in some specific cases vs using Tor only where accessing the destination service would be impossible 
from a Tor Exit node. This is because many services will just outright ban, hinder, or block Tor Exit Nodes (see 


alitexH#/ elit t=\oM Cols o)ae)(-Vo1melcell -Ver-Len 71tg-lePmAn | dlsvielgelie(eter| Misi @list-aliter=*=)=1[e(e/ clave Le) an cube acaeate) 
This solution can be achieved in two ways: 
>> Paid VPN over Tor (easiest) 


>> Paid Self-Hosted VPS configured as VPN/Proxy (most efficient in avoiding online obstacles such as captchas but requiring more skills 
with Linux) 


As you can see in this illustration, if your cash (preferred)/Monero paid VPN/Proxy is compromised by an adversary (despite their privacy 
statement and no-logging policies), they will only find an anonymous cash/Monero paid VPN account connecting to their services from a Tor 
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Qube OS Internal Network 
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Encrypted Cash-Paid VPN Qube (VPN Qube) 


Qube App VM SSS S=_S-—=—= a Internet Services 





If an adversary somehow manages to compromise the Tor network too, they will only reveal the IP of a random public Wi-Fi that is not tied to 
your identity. 


If an adversary somehow compromises your VM OS (with malware or an exploit for instance), they will be trapped within the internal Network 
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Stream isolation is a mitigation technique used to prevent some correlation attacks by having different Tor Circuits for each application. Here 
is an illustration to show what stream isolation is: 


Streamlsolation 
No Streamlsolation 


3rd Node 2nd Node (1st Node 
3rd Node 2nd Node 1st Node 


Sa... Su... Su. 


(Illustration from Marcelo Martins, ) 





VPN/Proxy over Tor falls on the right-side’’’ meaning using a VPN/Proxy over Tor forces Tor to use one circuit for all activities instead of 
multiple circuits for each. This means that using a VPN/Proxy over Tor can reduce the effectiveness of Tor in some cases and should 
therefore be used only for some specific cases: 


==> When your destination service does not allow Tor Exit nodes. 
>= When you do not mind using a shared Tor circuit for various services. For instance for using various authenticated services. 
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>> https://www.whonix.org/wiki/Stream_Isolation [Archive.org] 
>> https://tails.boum.org/contribute/design/stream_isolation/ A'ch've.org] 
>> https:/www.whonix.org/wiki/Tunnels/Introduction#Comparison_Table [Archive.org] 
Tor over VPN: 
You might be wondering: Well, what about using Tor over VPN instead of VPN over Tor? Well, | would not necessarily it: 
>> Disadvantages 


=> Your VPN provider is just another ISP that will then know your origin IP and will be able to de-anonymize you if needed. We do not 
trust them. Prefer a situation where your VPN provider does not know who you are. It does not add much in terms of anonymity. 


>> This would result in you connecting to various services using the IP of a Tor Exit Node which is banned/flagged in many places. It 
(ofey=tm ae) Mal) OM als 1aastome)mere/anv-lal(s1alece 


>> Advantages: 


>> The main advantage is that if you are in a hostile environment where Tor access is impossible/dangerous/suspicious, 
but VPN is okay. 


>= This method also does not break Tor Stream isolation. 


Note, if you’re having issues accessing the Tor Network due to blocking/censorship, you could try using Tor Bridges (see Tor Documentation 


https://2019.www.torproject.org/docs/bridges !4'ch've-org] and Whonix Documentation https://www.whonix.org/wiki/Bridges [Archive.org])_ 


It is also possible to consider VPN over Tor over VPN (User > VPN > Tor > VPN > Internet) using two cash/Monero paid VPNs instead. 
This means that you will connect the Host OS to a first VPN from your Public Wi-Fi, then Whonix will connect to Tor, and finally, your VM will 


connect to a second VPN over Tor over VPN (see https://www.whonix.org/wiki/Tunnels/Connecting_to_a_VPN_before_Tor !A‘chive.org]), 


This will of course have a significant performance impact and might be quite slow, but Tor is necessary somewhere for achieving reasonable 
anonymity. 


Achieving this technically is easy within this route, you need two separate anonymous VPN accounts and must connect to the first VPN from 
the Host OS and follow the route. 


Conclusion: Only do this if you think using Tor alone is risky/impossible but VPNs are okay. Or just because you can and so why not. This 
method will not lower your security/privacy/anonymity. 


VPN only: 
This route will not be explained nor recommended. 
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Just using a VPN or even a VPN over VPN makes no sense as those can be traced back to you over time. One of the VPN providers will 
know your real origin IP (even if it is in a safe public space) and even if you add one over it, the second one will still know you were using that 
other first VPN service. This will only slightly delay your de-anonymization. Yes, it is an added layer ... but it is a persistent centralized added 
layer, and you can be de-anonymized over time. This is just chaining 3 ISPs that are all subject to lawful requests. 


For more info, please see the following references: 


>> https://www.whonix.org/wiki/Comparison_Of_Tor_with CGI Proxies, Proxy Chains, and_VPN_Services#Tor_and_VPN_Services_ Comparison 
PaKeali-melce) 


>> https:/www.whonix.org/wiki/Why_does_Whonix_use_Tor [Archive.org] 
>> https://www.researchgate.net/publication/324251041_Anonymity_communication_VPN_and_Tor_a_comparative_study [Archive.org] 
>> https://gist.github.com/joepie9 1/5a9909939e6ce7d09e29#file-vpn-md [Archive.org] 
>> https://schub.wtf/blog/2019/04/08/very-precarious-narrative.html Archive.org] 
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No VPN/Tor: 


If you cannot use VPN nor Tor where you are, you probably are in a very hostile environment where surveillance and control are extremely 
high. 


Just do not, it is not worth it and too risky IMHO. You can be de-anonymized almost instantly by any motivated adversary that could get to 
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Do not forget to check back on Adversaries (threats) and Appendix S: Check your network for surveillance/censorship using OONI. 


If you have absolutely no other option and still want to do something, see Appendix P: Accessing the internet as safely as possible when 
Tor/VPN is not an option (at your own risk). 





Conclusion: 
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Unfortunately, using Tor alone will raise the suspicion of many destinations’ platforms. You will face many hurdles (captchas, errors, 





difficulties signing up) if you only use Tor. In addition, using Tor where you are could put you in trouble just for that. But Tor remains the best 
so) [0] (0) aimce)mr-lale)anvzanliavar=1a(em aalets)m el>mcve)aal>\)Ual=)c-mie)mr-lale)anVanliaya 


>> If you intend to create persistent shared and authenticated identities on various services where access from Tor is hard, | recommend 
the VPN over Tor and VPS VPN/Proxy over Tor options (or VPN over Tor over VPN if needed). It might be a bit less secure against 
correlation attacks due to breaking Tor Stream isolation but provides much better convenience in accessing online resources than just 
using Tor. It is an “acceptable” trade-off IMHP if you are careful enough with your identity. 


mee) Co) <-an | (wm ol-Lexo)anliale Mialolacmere)atlince)amiar-lmisr-lial-jea-t- [ta met:) eral ex-t-wr-1ale Oz B)y bo m-1a-M-1 (Yom o) foley. diaveme)maliale(-valarem Aad) MUCt-Ve- mud iag 
captchas and other various obstacles. In that case, a self-hosted VPS with a VPN/Proxy over Tor is the best solution for 
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Consider a Self-hosted VPN/Proxy on a Monero/Cash-paid VPS (for users more familiar with Linux) if you want the least amount 
of issues (this will be explained in the next section in more details). 


>> If your intent however is just to browse random services anonymously without creating specific shared identities, using tor friendly 
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full benefits of Stream Isolation (or Tor over VPN if you need to). 


>> If cost is an issue, | recommend the Tor Only option if possible. 


>> If both Tor and VPN access are impossible or dangerous then you have no choice but to rely on Public wi-fi safely. See Appendix P: 
Accessing the internet as safely as possible when Tor and VPNs are not an option 


For more information, you can also see the discussions here that could help decide yourself: 
>> Tor Project: https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TorPlusVPN [Archive.org] 
>> Tails Documentation: 

>> https://gitlab.tails.boum.org/tails/blueprints/-/wikis/vpn_support/ [Archive.org] 
>> https://tails.boum.org/support/faq/index.en.html#index20h2 [Archive.org] 
>> Whonix Documentation (in this order): 
>> https://www.whonix.org/wiki/Tunnels/Introduction [Archive.org] 
>> https://www.whonix.org/wiki/Tunnels/Connecting_to_Tor_before_a_VPN [Archive.org] 
>> https://www.whonix.org/wiki/Tunnels/Connecting_to_a_VPN_before_Tor [Archive.org] 
>> Some papers on the matter: 


>> https:/www.researchgate.net/publication/324251041_Anonymity_communication_VPN_and_Tor_a_comparative_study 
[Archive.org] 





Getting an anonymous VPN/Proxy: 


Skip this step if you want to use Tor only or VPN is not an option. 
See Appendix O: Getting an anonymous VPN/Proxy 


Note about Plausible Deniabi lity: 


(@ JU] oY-s- OLS MUl-\-1-m ©] Come) mui / ell) @-)alelay] ol(e)aur- 1a (eM im romc-\era]aller=l|hvm ofes>s-1]6)(-mcom=(eall-\-i- Me) sanmelmel-lalt=16)]/IN/m Oh’mel=yi ale me [1 r-(ea[-(em MO) Comal-y-(e(-15-e 
Bi alicwismatelanZ-1alalccvele-1(-1e Mm /alcomealtsmel6)(o(-molUimel0 mV IIMilarem-mmc0|co)at-| me) al ale) acon (eval(-\\,-mealomalslk > 
http://dreadytofatroptsdj6io7I3xptbet6onoyno2yv7jicoxknyazubrad.onion/post/af76301c21e1b4a33851 and some more background 
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Installation: 


We will follow the instructions from their own guide https://www.qubes-os.org/doc/installation-guide/ Archive.org}. 


(Secure Boot is not supported as per their FAQ: https://www.qubes-os.org/faq/#is-secure-boot-supported !A’chive.org] so jt should be disabled 
in the BIOS/UEFI settings. ) 
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>> Prepare a USB key with the Qubes OS ISO file 
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to Tor due to censorship or blocking, consider using Tor Bridges as recommended earlier. Just follow the tutorial provided here: 


httos://www.whonix.org/wiki/Bridges [Archive.org]) 
>> If you want to use Tor over VPN or cannot use any of those, leave it unchecked. 


=> If you cannot use Tor at all, there is also no point in installing Whonix. So, you should disable Whonix installation within the Software 
Selection Menu. 
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recommend that you configure Qubes OS to shut down on any power action (power button, lid closure). You can do set this from the XFCE 
Power Manager. Do not use the sleep features. 


Connect to a Public Wi-Fi: 


Remember this should be done from a safe place (see Find some safe places with decent public Wi-Fi and Appendix Q: Using long-range 
Antenna to connect to Public Wi-Fis from a safe distance): 
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>> Now right-click the network icon and select Edit Connections 

>> Add one using the + sign 

>> Select Wi-Fi 

>> Enter the SSID of the desired network you noted before (if needed) 

>> Select Cloned Mac Address 

>> Select Random to randomize your Mac Address 
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Community/Contents/blob/master/docs/privacy/anonymizing-your-mac-address.md [A'chive.org] 
>> Save 
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>> If this is an Open Wi-Fi requiring registration: You will have to start a browser to register 
>> After you are connected, Start a Disposable Fedora Firefox Browser 
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>> Open Firefox and register (anonymously) into the Wi-Fi 





Updating Qubes OS: 


After you are connected to a Wi-Fi you need to update Qubes OS and Whonix. You must keep Qubes OS always updated before conducting 
any sensitive activities. Especially your Browser VMs. Normally, Qubes OS will warn you about updates in the upper right corner with a gear 
icon. As this might take a while in this case due to using Tor, you can force the process by doing the following: 


>> Click the upper left Applications icon 

>> Select System Tools 

==> Select Qubes Update and Launch it 

>> Check the “Enable updates for Qubes without known available updates” 
>> Select all the Qubes 

>> Click Next and update 


>> If you checked the Tor option during install, wait patiently as this might take a while over Tor 


Updating whonix from version 15 to version 16: 


Follow the instructions on https://www.whonix.org/wiki/Qubes/Install Archive.org] 


Hardening Qubes OS: 
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While Qubes OS is already sandboxing everything by design, it is also useful to consider sandboxing apps themselves using AppArmor or 
SELinux. 


APPARMOR: 


“AppArmor is a Mandatory Access Control framework. When enabled, AppArmor confines programs according to a set of rules that specify 
what files a given program can access. This initiative-taking approach helps protect the system against both known and unknown 
vulnerabilities” (Debian.org). 


Basically, AppArmor? ”? is an application sandboxing system. By default, it is not enabled but supported by Qubes OS. 
=> About the Fedora VMs: 
>> Fedora does not use AppArmor but rather SELinux so see the next section for that. 
=> About the Debian VMs: 
>> Head out and read https://wiki.debian.org/AppArmor [Archive.org] 
>> About any other Linux VM: 
>> Head out and read: 
>> https://wiki.archlinux.org/title/AppArmor [Atchive.org] 
>> https://wiki.debian.org/AppArmor [Archive.org] 
>> About the Whonix VMs, you should consider enabling and using AppArmor, especially on the Whonix VMs of Qubes OS: 
>> First, you should head out and read https://www.whonix.org/wiki/AppArmor [Archive.org] 


>> Secondly, you should head out again and read https://www.whonix.org/wiki/Qubes/AppArmor [Archive.org] 


bs) ot al | OG 
SELinux?" is similar to AppArmor. The differences between SELinux and AppArmor are technical details into which we will not get. 
Here is a good explanation of what it is: httos://www.youtube.com/watch?v=_WOKRaM-HI4 l!nvidious] 


In this guide and the context of Qubes OS, it is important to mention it as it is the recommended method by Fedora which is one of the default 
systems on Qubes OS. 


So, head out and read https://docs.fedoraproject.org/en-US/quick-docs/getting-started-with-selinux/ [Archive.org] 
You could make use of SELinux on your Fedora Templates. But this is up to you. Again, this is for advanced users. 


Setup the VPN ProxyVM: 
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This tutorial should also work with any OpenVPN provider (Mullvad, IVPN, Safing.io, or ProtonVPN for instance). 


This is based on the tutorial provided by Qubes OS themselves (https://github.com/Qubes- 


Community/Contents/blob/master/docs/configuration/vpn.md Atchive.org]) | |f you are familiar with this process, you can follow their tutorial. 
Here is mine: 


Create the ProxyVM: 
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>> Click Create Qubes VM 

>> Name and label as you wish: | suggest “VPNGatewayVM” 

>> Select Type: Standalone Qube copied from a template 

>> Select Template: Debian-10 (or Debian-11 if you already have it installed) 

>> Select Networking: 
>> Select sys-whonix if you want to do VPN over Tor / Tor only (recommended) 
>> Select sys-firewall if you want to do Tor over VPN / No Tor or VPN / Just VPN 

>> Advanced: Check provides network 

>> Check “Start Qube automatically on boot” 

>> Create the VM 

>> Test your Connectivity: 


>> If you are going for VPN over Tor, Test the VM connectivity to Tor by launching a Browser within the ProxyVM and going to 
https://check.torproject.org A'chive-org] (|t should say you are connected to Tor) 


>> If you are going for Tor over VPN, Test the VM connectivity to the internet by launching a Browser within the ProxyVM and access 
any website. 


Download the VPN configuration from your cash/Monero paid VPN provider: 
IF YOU CAN USE TOR: 
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from your VPN provider. 
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IF YOU CANNOT USE TOR: 


Launch a browser from a DisposableVM and download the necessary OpenVPN configuration files for Linux from your VPN provider. See 
Appendix P: Accessing the internet as safely as possible when Tor and VPNs are not an option. 


When you are done downloading the configuration files within the Disposable Browser (usually a zip file), copy them to your ProxyVM VPN 
Gateway machine (using right-click on the file and send to another AppVM). 


Configure the ProxyVM: 


Skip this step if you are not going to use a VPN 

>> Click the upper left corner 

>> Select the VPN VM you just created 

>> Open the Files of the VPN VM 

>> Go into “Qubesincoming” > dispXXXX (This was your Disposable Browser VM) 
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>> Now select the VPN VM again and start a terminal 

=> Install OpenVPN with the following command sudo apt-get install openvpn 

>> Copy all the OpenVPN configuration files provided by your VPN provider in /etc/openvpn/ 

>> For all the OpenVPN configuration files (for each location): 
=> Edit each file using sudo nano configfile (do not forget sudo to edit the file within /etc) 
>> Change the protocol from “udp” to “tcp” (Tor does not support UDP) 


>> Change the port to a supported (by your VPN provider) TCP port (like 80 or 443) 





>> Save and exit each file 
>> Edit the OpenVPN config file (/etc/default/openvpn) by typing sudo nano /etc/default/openvpn (because | do not like vi editor) 
>> Change #AUTOSTART="all" to AUTOSTART="al1" (in other words, remove the “#’) 
>> Save and Exit 
>> Edit the Qubes firewall rules file (/rw/config/qubes-firewall-user-script) by typing “sudo nano /rw/config/qubes-firewall-user-script” 
>> Add the following lines (without the quotes and remarks in parentheses) 
22 virtualif=10.137.0.17 
| (This is the IP of the ProxyVM, this is not dynamic, and you might need to change it at reboot) 
== vondns1=10.8.0.1 
| (This is the first DNS server of your VPN provider; it should not change) 
=> vpndns2=10.14.0.1 
| (This is the second DNS server of your VPN provider; it should not change) 
>> iptables -F OUTPUT 
== iptables -I FORWARD -o eth@ -j DROP 
>> iptables -I FORWARD -i eth@ -j DROP 
=> ip6tables -I FORWARD -o eth@ -j DROP 
== ip6tables -I FORWARD -i eth® -j DROP 


(These will block outbound traffic when the VPN is down, it is a kill switch, more information here https://linuxconfig.org/how-to- 


_ create-a-vpn-killswitch-using-iptables-on-linux !Archive.org] ) 
>> \iptables -A OUTPUT -d 10.8.0.1 -j ACCEPT 
=> \iptables -A OUTPUT -d 10.14.0.1 -j ACCEPT 


2 (These will allow DNS requests to your VPN provider DNS to resolve the name of the VPN servers in the OpenVPN 
| configuration files) 


==> iptables -F PR-QBS -t nat 

>> iptables -A PR-QBS -t nat -d $virtualif -p udp --dport 53 -j DNAT --to $vpndns1 

>> iptables -A PR-QBS -t nat -d $virtualif -p tcp --dport 53 -j DNAT --to $vpndns1 

>> iptables -A PR-QBS -t nat -d $virtualif -p udp --dport 53 -j DNAT --to $vpndns2 

>> iptables -A PR-QBS -t nat -d $virtualif -p tcp --dport 53 -j DNAT --to $vpndns2 
| (These will redirect all DNS requests from the ProxyVM to the VPN provider DNS servers) 

>> Restart the ProxyVM by typing “sudo reboot” 


>> Test the ProxyVM VPN connectivity by starting a Browser within it and going to your VPN provider test page. It should now say you are 
connected to a VPN: 


>> Mullvad: https://mullvad.net/en/check/ [Archive.org] 
>> IVPN: https:/Awww.ivpn.net/ Archive.org] (check the top banner) 
>> ProtonVPN: Follow their instructions here https://protonvpn.com/support/vpn-ip-change/ [Archive.org] 
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SET UP A DISPOSABLE BROWSER QUBE FOR VPN OVER TOR USE: 
>> Within the Applications Menu (upper left corner), Select the Disposable Fedora VM 
>> Go into Qube Settings 
>> Click Clone Qube and name it (like “VPNoverTor’) 
>> Again, within the Application Menu, Select the Clone you just created 
>> Go into Qube Settings 
==> Change the Networking to your ProxyVPN created earlier 


>> Click OK 





>> Start a Browser within the Whonix Workstation 
>> Check that you have VPN connectivity, and it should work 


You should now have a Disposable Browser VM that works with your cash/Monero paid VPN over Tor. 


Tor Over VPN: 


Reconfigure your Whonix Gateway VM to use your ProxyVM as NetVM instead of sys-firewall: 
>> Within the Applications Menu (upper left corner), Select the sys-whonix VM. 
>> Go into Qube Settings 
>> Change the Networking NetVM to your ProxyVPN created earlier instead of sys-firewall 
>> Click OK 
>> Create a Whonix Workstation Disposable VM (follow this tutorial https://www.whonix.org/wiki/Qubes/DisposableVM [Archive.org]) 
>> Launch a browser from the VM and Check that you have VPN connectivity, and it should work. 
Alternatively, you can also create any other type of disposable VM (but less secure than the Whonix one): 
>> Within the Applications Menu (upper left corner), Select the Disposable Fedora VM 
==> Go into Qube Settings 
>> Click Clone Qube and name it (like “TorOverVPN”) 
>> Again, within the Application Menu, Select the Clone you just created 
=> Go into Qube Settings 
>> Change the Networking to your sys-whonix created earlier 
>> Click OK 
>> Start a Browser within the VM 
>> Check that you have VPN connectivity, and it should work 
You should now have a Disposable Browser VM that works with Tor over a cash/Monero paid VPN. 


Any other combination? (VPN over Tor over VPN for instance) 


By now you should understand how easy it is to route traffic from one VM to the other with Qubes. 


You can create several ProxyVMs for VPN accesses and keep the Whonix one for Tor. You just need to change the NetVM settings of the 
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>> One VPN ProxyVM for the base Qubes OS connection 
>> Use the sys-whonix VM (Whonix Gateway) getting its network from the first ProxyVM 
>> A second VPN ProxyVM getting network from sys-whonix 
>> Disposable VMs getting their NetVM from the second ProxyVM 


This would result in User > VPN > Tor > VPN > Internet (VPN over Tor over VPN). Experiment for yourself. Qubes OS is great for these 
Waliale ise 


Setup a safe Browser within Qubes OS (optional but recommended): 


See: Appendix V: What browser to use in your Guest VM/Disposable VM 
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Within the Applications Menu (upper left), Select the Fedora-3x template (x being the latest Fedora template available in your install): 
>> Go into Qube Settings 
==> Clone the VM and name it “fedora-3x-brave” (this VM template will have Brave) 
=> Again, go into the Applications Menu and select the clone you just created 
>> Go into Qube Settings 
>> Change its network to the ProxyVPN and Apply 


>> Launch a terminal from the VM 





If you want to use Brave: apply the instructions from https://brave.com/linux/ !4"ch've-org! (Fedora 28+ section) and run the following 
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>> sudo dnf install dnf-plugins-core 

>> sudo dnf config-manager --add-repo https://brave-browser-rpm-release.s3.brave.com/x86_64/ 
==> sudo rpm --import https://brave-browser-rpm-release.s3.brave.com/brave-core.asc 

=> sudo dnf install brave-browser 

You should also consider hardening your browser, see 


Whonix Disposable VM: 


Edit the Whonix Disposable VM template and follow instructions here https://www.whonix.org/wiki/Install_ Software [Archive.org] 


Additional browser precautions: 


>> See: Appendix V1: Hardening your Browsers 
>> See: Appendix A5: Additional browser precautions with JavaScript enabled 


Setup an Android VM: 


Because sometimes you want to run mobile Apps anonymously too. You can also set up an Android VM for this purpose. As in other cases, 
ideally, this VM will also be sitting behind the Whonix Gateway for Tor network connectivity. But this can also be set up as VPN over Tor over 
VPN. 


Since the Android-x86 does not work “well” with Qubes OS (my own experience). | will instead recommend using AnBox (https://anbox.io/ 


[Archive.org]) which works “well enough” with Qubes OS. More information can also be found at https://www.whonix.org/wiki/Anbox [A'chive.org] 


If you can use Tor (natively or over a VPN): 


Later in the Qubes settings during creation: 
>> Select Networking 
>> Change to sys-Whonix to put it behind the Whonix Gateway (over Tor). 
If you cannot use Tor: 
Just use the tutorials as is. See Appendix P: Accessing the internet as safely as possible when Tor and VPNs are not an option. 


Installation: 


Basically, follow the tutorial here: 
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>> Click Create Qubes VM 

>> Name and label as you wish: | suggest “Android Box” 

>> Select Type: Standalone Qube copied from a template 

>> Select Template: Debian-10 (or Debian-11 if you already have it installed) 

>> Select Networking: 
>> Select sys-whonix if you want to do VPN over Tor / Tor only (recommended) 
>> Select sys-firewall if you want to do Tor over VPN / No Tor or VPN / Just VPN 


>> Start the Qube and open a Terminal 


Now you will have to follow the instructions from here: https://github.com/anbox/anbox-modules [A'chive.org]. 
=> Start by closing the AnBox Modules repository by running: 
>> git clone https://github.com/anbox/anbox-modules.git 
mmm Coma lcomal-mer(e)al-\emel|c-1e1re) avs 
>> Run ./INSTALL.sh (or follow the manual instructions on the tutorial) 
>> Reboot the machine 
>> Open a new terminal 
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>> sudo apt install snapd 





Now we will follow their other tutorial from here: https://github.com/anbox/anbox/blob/master/docs/install.md [A’chive.org]. 
>> Install AnBox by running: 
>> snap install --devmode --beta anbox 
==> To update AnBox later, run: 
>> snap refresh --beta --devmode anbox 
=> Reboot the machine 
>> Open a terminal again and start the emulator by running: 
>> anbox.appmgr 
This should pop up an Android interface. Sometimes it will crash, and you might have to run it twice to make it work. 
If you want to install apps on this emulator: 
>> Install ADB by running: 
>> sudo apt install android-tools-adb 
>> First start Anbox (run anbox. appmgr) 
==> Grab the APK of any app you want to install 
>> Now install any APK by running: 
>> adb install my-app.apk 
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ADB. This is, for now, and IMHO, the easiest way to get Android emulation on Qubes OS. 


KeePassxC: 


You will need something to store your data (logins/passwords, identities, and TOTP?/2 Taice)aant=ie)ayF 


For this purpose, | strongly recommend KeePassXC because of its integrated TOTP feature. This is the ability to create entries for 2FA°!S 
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In the context of Qubes OS you should store your sensitive information within the Domain-vault Qube: 
>> First, click the Applications icon (upper left) and select the Domain: Vault Qube. 

>> Click Qubes Settings 

==> Temporarily enable network by changing the network to your VPN ProxyVM you created earlier 
>> Open a terminal within the Domain: Vault Qube 

>> Type: sudo dnf install keepassxc and wait for it to install 

>> Close the terminal and disable the network by changing back the network to (none) 

>> Go back into the Domain: Vault Qube Settings and into the Applications tab 

>> Click Refresh 

>> Add KeePassXC to the Selected tab 

>> Launch KeePassXC within the Domain: Vault Qube 
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Creating your anonymous online identities: 


Understanding the methods used to prevent anonymity and verify identity: 


Captchas: 
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THEYRE GETTING SMARTER. 





(Illustrations by Randall Munroe, xkcd.com, licensed under CC BY-NC 2.5) 
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Captcha'»™ stands for “Completely Automated Public Turing test to tell Computers and Humans Apart” are Turing tests’’* puzzles you need 


to complete before accessing a form/website. You will mostly encounter those provided by Google (reCAPTCHA service?’°) FT alo Or (elUlolit=las 


(aX@r-l0) (elt aee hCaptcha is used on 15% of the internet by their own metrics?” ”. 


They are designed to separate bots from humans but are also clearly used to deter anonymous and private users from accessing services. 


If you often use VPNs or Tor, you will quickly encounter many captchas everywhere?’®. Quite often when using Tor, even if you succeed in 
solving all the puzzles (sometimes dozens in a row), you will still be denied after solving the puzzles. 
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that modern Captchas uses advanced machine learning and risk analysis algorithms to check if you are human?’?: 


>> They check your browser, cookies, and browsing history using Browser iilavet-a oalaltiare haeee 
>> They track your cursor movements (speed, accuracy) and use algorithms to decide if it is “numan/organic’. 


>> They track your behavior before/during/after the tests to ensure you are “hnuman’??!. 


It is also highly likely that those platforms could already reliably identify you based on the unique way you interact with those puzzles. This 
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You will often experience several in a row (sometimes endlessly) and sometimes exceedingly difficult ones involving reading undecipherable 
characters or identifying various objects on endless pictures sets. You will also have more captchas if you use an ad-blocking system (uBlock 
for example) or if your account was flagged for any reason for using VPNs or Tor previously. 


You will also have (in my experience) more Captchas (Google’s reCAPTCHA) if you do not use a Chromium-based browser. But this can be 
mitigated by using a Chromium-based browsers such as Brave. There is also a Browser extension called Buster that could help you those 


https://github.com/dessant/buster [Archive.org]_ 


As for Cloudflare (nCaptcha), you could also use their Accessibility solution here (https://www.hcaptcha.com/accessibility A"°'ve-0rg]) which 


would allow you to sign-up (with your anonymous identity created later) and set a cookie within your Browser that would allow you to bypass 


their captchas. Another solution to mitigate hCaptcha would be to use their own solution called “Privacy Pass”982 


https://privacypass.github.io/ 4"°h've.ord] in the form of a Browser extension you could install in your VM Browser. 


You should therefore deal with those carefully and force yourself to alter the way you are solving them (speed/movement/accuracy/...) to 
prevent “Captcha Fingerprinting”. 


Fortunately, as far as | am aware, these are not yet officially/publicly used to de-anonymize users for third parties. 


To not have those issues, you should consider using a VPN over Tor. And the best option to avoid those is likely to use a self-hosted 
VPN/Proxy over Tor on a cash/Monero paid VPS server. 


Phone verification: 





Phone verification is advertised by most platforms to verify you are human. But do not be fooled, the main reason for phone verification is not 
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Most platforms (including the privacy-oriented ones such as Signal/Telegram/ProtonMail will require a phone number to register, and most 
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Fortunately, this guide explained earlier how to get a number for these cases: Getting an anonymous Phone number. 


E-Mail verification: 


E-Mail verification is what used to be enough but is not anymore in most cases. What is important to know is that open e-mail providers 
(disposable e-mail providers for instance) are flagged as much as open proxies (like Tor). 


Most platforms will not allow you to register using an “anonymous” or disposable e-mail. As they will not allow you to register using an IP 
address from the Tor network. 


The key thing to this is that it is becoming increasingly difficult to sign-up for a free e-mail account anywhere without providing (you guessed 
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It is possible that those services (ProtonMail for instance) might require you to provide an e-mail address for registration. In that case, | would 
recommend you create an e-mail address from these providers: 


>> MailFence: https://mailfence.com/ 

>> Disroot: https://disroot.org 

>> Aultistici: https://autistici.org 

>> Envs.net: https://envs.net/ 

==> CTemplar: https://ctemplar.com (unfortunately also requires invitation) 


Keep in mind that those do not provide a zero-access design (meaning they can access your e-mail at rest in their database) where only you 
can access your e-mail. 


A note about Riseup: 


RiseUp’s warrant canary has been renewed late, with their Twitter posting a cryptic message seeming to tell users not to trust them. Due to 
the suspicious situation, this guide can no longer recommend them. 


Also see: https:/forums.whonix.org/t/riseup-net-likely-compromised/3195 


For the https://riseup.net [Tor Mirror] (It has come to my attention that the site now, unfortunately, requires an invitation from a current registered user) 


Protecting your anonymous online identities e-mails using Aliasing services: 


If you want to avoid communicating your anonymous e-mail addresses to various parties. | would strongly suggest considering using e-mail 
aliasing services such as: 


>> https://simplelogin.io/ (preferred first choice due to more options available to the free tier) 
>> https://anonaddy.com/ 


These services will allow creating random aliases for your anonymous e-mail (on ProtonMail for example) and could increase your general 
privacy if you do not want to disclose that e-mail for any purpose. They are both recommended by Privacyguides.org and Privacytools.io. I’m 
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User details checking: 


Obviously, Reddit does not do this (yet), but Facebook most likely does and will look for “suspicious” things in your details (which could 
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Some examples: 
>> IP address from a country different than your profile country. 
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>> Unknown in anyone else contacts (Meaning nobody else knows you). 
==> Locking down privacy settings after signing up. 
>> Name that does not match the correct ethnicity/language/country? 


Proof of ID verification: 





The deal-breaker in most cases. As far as | know, only Facebook and LinkedIn (outside of financial services) have requested such 
verifications which involve sending pictures of some form of identification (passport, national ID card, driver’s license ...). The only way to do 
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Therefore, this is a line | am not going to help you cross within this guide. Some services are offering such services online, but | think they are 
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In many countries, only law enforcement, some specific processes (such as GDPR requests), and some well-regulated financial services 
may request proof of identification. So, the legality of asking for such documents is debatable and | think such platforms should not be 
allowed to require those. 
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IP Filters: 


As stated previously in this guide, many platforms will apply filters on the IPs of the users. Tor exit nodes are publicly listed, and VPN exit 
servers are “well known’. There are many commercial and free services providing the ability to block those IPs with ease (hi Cloudflare). 


Many platforms’ operators and administrators do not want traffic from these IPs as they often drive a lot of unlawful/malicious/unprofitable 
traffic to their platforms. Usually using the same excuses: 


>> Unlawful because “Think of the children” or “Terrorists”. 
>> Malicious because of “Russian trolls”. 


>> Unprofitable because “Well it’s noise in the data we sell to advertisers” (AdSense, Facebook Ads ...). Yet we still pay traffic for them so 
let us just deny them all instead. 


Fortunately, those systems are not perfect, and you will (still) be able to get around those restrictions by switching identities (in the case of 
Tor) and looking trying to access the website each time until you find an Exit Node that is not block-listed (yet). 


Sometimes some platforms will allow you to log in with a Tor IP but not sign-up (See 


https://gitlab.torproject.org/legacy/trac/-/wikis/org/doc/ListOfServicesBlockingTor !4'ch've-orgl)_ Those platforms will keep a convenient 
permanent log of the IP you used during sign-up. And some will keep such logs indefinitely including all the IPs you used to log in (hi 
Facebook). 
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hard to use by forcing increasingly difficult captchas on most VPN users. 


For this reason, this guide does recommend the use of VPN over Tor (and not Tor over VPN) in certain use cases. Remember that the best 
option to avoid those is to use a self-hosted VPN/Proxy over Tor on a cash/Monero paid VPS server. 


Browser and Device Fingerprinting: 


Browser and Device?°° Fingerprinting are usually integrated into the Captcha services but also in other various services. 


Many platforms (like Google*®*) will check your browser for various capabilities and settings and block Browsers they do not like. This is one 
of the reasons | recommend using Chromium-based Browsers such as Brave Browser over Tor Browser within this VM. 


Here are some of the things they check within recent browsers: 
>> User-Agent: This is your Browser name and Version. 
>> HTTP_ACCEPT Headers: This is the type of content your Browser can handle. 
>> Time Zone and Time Zone Offset: Your time zone. 
=> Screen Size and Color Depth: The resolution of your screen. 
>> System Fonts: The typing fonts installed on your system. 
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>> Hash of Canvas fingerprint and Hash of WebGL fingerprint: These are generated unique IDs based on your graphic rendering 
capabilities. 


>> WebGL Vendor & Renderer: Name of your Video card 

>> Do-Not-Track enabled or not: Well, yes, they can use your DNT information to track you 

>> Language: The language of your Browser 

>> Platform: The Operating System you are using 

>> Touch Support: If your system supports touch (such as a phone/tablet or touchscreen-enabled laptop) 
>> Ad Blocking use: If your browser block ads 


>> AudioContext fingerprint: Like the Canvas and WebGL fingerprints these will fingerprint your audio capabilities. 





>> CPU: What kind of CPU you are using and how many of them 
>> Memory: How much memory you have in your System 
>> Browser Permissions: Is your browser allowing some things like geolocation or microphone/webcam access. 
>> ... 
Here are two services you can use to check your browser Fingerprinting: 
>> https://coveryourtracks.eff.org/ 
Pm ali os“ /k-lanlielal(e[el= me) Ke] 
>> https://browserleaks.com/ 
Chances are you will find your browser fingerprint unique no matter what you do. 


Human interaction: 


Some platforms will add this as a bonus step and require you to have an actual human interaction with a customer care representative. 
Usually by e-mail but sometimes by chat/phone. They will want to verify that you exist by asking you to reply to an e-mail/chat/phone call. 
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Many platforms will delegate and rely on their users to moderate the others and their content. These are the “report” features that you will find 
on most platforms. 


Getting reported thousands of times does not matter when you are Donald Trump or Kim Kardashian but if you as a sole “friendless” 
anonymous user gets reported even once, you might get suspended/flagged/banned instantly. 


Behavioral Analysis: 
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Financial transactions: 


Simple and efficient, some platforms will require you to perform a financial transaction to verify your account sometimes under the pretext of 
verifying your age. This could be a credit card verification or an exceedingly small amount bank wire. Some will accept a donation in a main 
cryptocurrency like Bitcoin or Ethereum. 


While this might seem innocent, this is obviously an ID verification and de-anonymization method. This is just indirectly relying on third-party 


ilarelavelr-l 504 Oram regulations. 


This is for instance now the case on YouTube for some European Users°®° but also used by services like Amazon that requires a valid 
payment method for creating an account. 


Verify your age 





Sign-in with some platform: 


Why do this user-verification ourselves when we can just ask others to deal with it? 





You will notice this, and you probably already encountered this. Some apps/platforms will ask/require you to sign in with a well-known and 
well-used reputable platform instead of their own system (Sign-in with Google/Facebook/Apple/Twitter). 
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This option is often presented as the “default one”, hiding away the “Sign-in with e-mail and password” with clever Dark Patterns°®° and 


unfortunately sometimes needed. 


This method will delegate the verification process on those platforms instead of assuming that you will not be able to create an anonymous 
Google/Facebook/Apple/Twitter account with ease. 


Fortunately, it is still possible to this day to create those. 
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Some platforms/apps will require you to take a live picture of yourself either doing something (a wink, holding an arm up ...) or showing a 
custom piece of information (a handwritten text, a passport, or ID) within the picture. Sometimes the platform/app will require several pictures 
to increase their certainty. 


Do these pics match? 


Make sure your pose is as similar 


as possible to the original photo 


Jénette 2s @ 


& Product Designer 
= University of Southern California 


3 3 2 miles away 


Copy the pose ifthe pactilibove 
DEA 


ee iat 
Y 





This guide will not cover this one (yet) as it is mainly used on financial platforms (that will be able to identify you with other means anyway) 
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and some dating apps like Tinder?’°’. Unfortunately, this method is now also sometimes being used on ar-Ter-\ fete) ennai TaTe Talsie=lele-leamelom or-lame)i 


their verification methods (tho | did not face it yet so far). 





Tips for Video Selfie 


(2) > 


» need to see your face at different angles to 


Position your face in the circle 
®wongmijane 


Video Selfie Complete 


@wongmijane 


Take a Video Selfie Hold Your Phone at Eye Level 


help us confirm you're a real person 


Hold Your Phone at Eye Level 


Follow the On-Screen Instructions 





} Need help? 
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previously saved (edited) image. 


Recently even platforms such as PornHub decided to implement similar measures in the future?®9, 


This verification is extremely hard to defeat but possible. A method to possibly defeat those would be to use “deep fake” technology software 


such as the open-source FaceSwap https://github.com/deepfakes/faceswap [A'chive.org] tg generate the required verification pictures using a 
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Unfortunately, some apps require direct access to a smartphone camera to process the verification. In that case, we will need to find a way to 
do such “face swaps” on the fly using a filter and another way to feed this into the camera used by the app. A possible approach would be 


similar to this impressive project https://github.com/iperov/DeepFaceLive [Archive.org], 


Manual reviews: 


These can be triggered by any of the above and just means someone (usually specialized employees) will review your profile manually and 
decide whether it is real or not based on their subjective opinion. 


Some countries have even developed hotlines where you can report any subversive content? 
Pros: Usually that verdict is “final”, and you will probably avoid further issues if you are good. 


Cons: Usually that verdict is “final”, and you will probably be banned without any appeal possibility if you are not good. Sometimes those 
reviews end up on the platform just ghosting you and cancel you without any reason whatsoever. Any appeal will be left unanswered, 

fe] ato) x=\o Mme) mn VI|me[=)aile-1t-msie)aalom e-lale(e)anmel-ls @ey-lit-veamolelem\\7al-vamiavs|alemcoma)e)e\-t-]m lar lm) el-\eli(em(el-)aliiavm@ualicmar-]6)0l-lalsme) al larcir-(e]e-lanmce)mlatsit-lalers) 
where if your account gets “suspended” obviously by some manual review, trying to complete the appeal form will just throw an error and tell 
you to try again later (I have been trying this same appeal for that identity for the past 6 months at least). 


Getting Online: 


Now that you have a basic understanding of all the ways you can be de-anonymized, tracked, and verified. Let us get started at evading 
these while staying anonymous. Remember: 


>> You cannot trust ISPs 

>> You cannot trust VPS providers 

>> You cannot trust public Wi-Fi providers 
>= You cannot trust Mobile Network providers 
==> You cannot trust VPN providers 

mm ColUmer-|alalelmniael-iar-lahym@)alliato Maa (-1te)gan 

mm (olUmer-|n)alelmiae liam re) 

>> You cannot trust your Operating System 
>> You cannot trust your Laptop 

>> You cannot trust your Smartphone (especially Android) 
>> You cannot trust your Smart devices 

>> Above all, you cannot trust people 


99391 ( 


So what? Well instead of not trusting anyone or anything, | would advise to “Trust but verify or “Never trust, always verify” if you are 


inate) am at=|ne (exe) g-m-]0le)0| Mm imr-\ elem c-lalm Com] 0) 0)\/ay4-1 ce rm Baul) Security2°) instead. 

Do not start this process unless: 
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Titatole OOM ATM Tilnaliave Mm colemOn-letCcdin]ol-) mm com al (ale m-Yo)ai(-M-y- lic e)t-(er-t-m Ui tame(-Ler-JalmelUlo)ifoms\/Es a m-lalem\e) el-lale[) @e@ Mmel-yialemlelaletie-lare(-) 
Antenna to connect to Public Wi-Fis from a safe distance) 
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Creating new identities: 


A Malsmmtalomillam ex-lam\\7al-\c-m elem Uli male)imerk=x-1X-MYel0] mlel-lal(in(-somm ine)anmiallaur=||emm Mal=ss{-m (eal t|i(t-¥e(@ male) m-> t=] mo] Uim-)ale)0) (om el-)I-l6l<¥]6)(-¥r-| ale mm (ele). 


“organic”. They should ideally have a story, a “legend” (yes this is the real term for this°9?). 


What is a legend? Well, it is a full back-story for your character: 





>> 


>> 


>> 


>> 


>> 


>> 


>> 


>> 


>> 


>> 


>> 


>> 


>> 


>> 


>> 


>> 


>> 


>> 


>> 


Nes) 

Sex 

Gender 

manaralreniay 

Place of Birth and date of Birth 

Place of residence 

(@folelalinvmeyme)alelia 

Visited Countries (for travels for instance) 

Tal t<1e-X-) (-¥r- Tao atele)e)(-3<) 

sho [U(er-1h(0) aM mI Ke) Ay 

Work experience 

Health information 

Religion if any 

Goals 

Family history 

r= J anliNvaxexe) an) eXes<yit(e)a Mm lamr=Va hvac Or all(ela)a Wane) ele )0\s\> ial ml Ui-)ey- alone) 
Relationship Status if any (Married? Single?) 
Spoken Languages 


Personality traits (Introvert, Extrovert ...) 


ae... 


All these should be crafted carefully for every single identity, and you should be incredibly careful to stick to the details of each legend when 
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your legend. Everything should always be consistent. 


Tools that can help with this: 


>> 


>> 


https://www.fakenamegenerator.com/ 


https://thispersondoesnotexist.com/ 
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| will help you bit by listing a few tips | learned while researching over the years (disclaimer: this is based on my individual experiences 


FV Ko) a=) b 


>> 


>> 


>> 


“Some animals are more equal than others’. 


>> Ethnicity is important and you will have fewer issues and attract less attention to verification algorithms if your identity is 
Caucasian/East-Asian than if it is Arabic/Black (yes, | tested this extensively and it is definitely an issue). 


>> Age is important and you will have fewer issues if you are young (18-22) than if you are middle-aged or older. Platforms seem to 
lo-manle)c=m(-)al(=1piml am are)m ian) exes<yiale masyciea(e1(@)alome) am al-y)ayelelale(-)mr-lelel(-1alecioe 


=> Sex/Gender is important, and you will have fewer issues if you are a female than if you are a male. 


>> Country of origin is important, and you will have fewer issues if your identity is Norwegian than if it is Ukrainian, Nigerian, or 
Mexican. 


>> Country of residence is important, and you will have fewer issues if your identity has its residence in Oslo or Paris than if you 
decide to live in Kyiv or Cairo. 


>> Language is important and you will have fewer issues if you speak English or the language of your Identity than if you use a non- 
related language. Do not make a Norwegian-born Arabic 20-year-old female that speaks Ukrainian or Arabic. 


Identities that are “EU residents” with an “EU IP” (VPN/Tor Exit IP) will benefit from GDPR protections on many platforms. Others will 
not. GDPR is your friend in most cases, and you should take this into account. 


Similarly, origin IP geolocation (your IP/location when you go to “whatsmyipaddress.com”) should match your identity location as much 
as possible (When using a VPN over Tor, you can pick this in the VPN client if you use the VPN over Tor approach or just create a new 
identity in Tor Browser or Brave Tor Tab until you get an appropriate Exit node, or configure Tor to restrict your Exit Nodes). Consider 
excluding any exit IP that is not located in Western Europe/US/Canada/Japan/South Korea/Australia/New Zealand as you will have 
fewer issues. Ideally, you should get a European Union IP to get additional GDPR protection and if possible, a German exit IP due to 
ida=)) am (ste [= lmesit= 1a (exo me) ame icy [ale r= lale)ahvanloletswr-\ererelU]aitsme)ame)aliial-me)t-le)santoe 





>> Brave Browser (Chromium-based) with a Private Tor Tab has (IMHO) a better acceptance level than Tor Browser (Firefox based). You 


will experience fewer issues with captchas and online platforms?°* if you use Brave than if you use Tor Browser (feel free to try this 
yourself). 


>> For every identity, you should have a matching profile picture associated with it. For this purpose, | recommend you just go to 
aliterspi/it alls} oX=vecreyale(el-t=a(el (=> <i) eres) mean r= Tato Mel-‘al-le-lt-- Mercola qlolj(-vere|-Wal-le-ltcvoM elceyil(-mel(ertUlc-M( BYoMatel(-Mcar-1@-l(eColiilalaalsmar-Niew ele(cla 
developed*?*3" to detect these and it might not work 100% of the time). You can also generate such pictures yourself from your 
computer if you prefer by using the open-source StyleGan project here https://github.com/NVlabs/stylegan2 A'chive.org] Just refresh the 


page until you find a picture that matches your identity in all aspects (age, sex, and ethnicity) and save that picture. It would be even 
better to have several pictures associated with that identity, but | do not have an “easy way” of doing that yet. 


>> Bonus, you could also make it more real by using this service (with an anonymous identity) https://www.myheritage.com/deep- 
nostalgia [A"CM've-0rg] tg make a picture more lifelike. Here is an example: 


>> Original: 








ie 
CP MyHeri 


S)ife]almisssOromiaommUb'am(-Jahte-le(:Mexeleimor-lal-wm Ke) mm => dimalele(-t-m-yomVolemarl(elaimar-\(-mr-(e[-llamcemexe)ar-yie(-) ma’4ed) Meo).:) am ke) mace) maal (-m 


You could also achieve the same result without using MyHeritage and by doing it yourself using for example 
https://github.com/AliaksandrSiarohin/first-order-model !4"°"'ve-0rg] but this will require more manual operations (and requires an NVIDIA 
GPU). Other commercial products will soon be available such as: https://www.d-id.com/talkingheads/ !'ch've.org] with examples here: 
https://www.youtube.com/channel/UCqyzLOHYamY X2tNXBNSHr1w/videos [!nvidious] 


Note: If you make several pictures of the same identity using some of the tools mentioned above, be sure to compare the similarities using 
the Microsoft Azure Face Verification tool at https://azure.microsoft.com/en-us/services/cognitive-services/face/#Hdemo. 


>> Create in advance and store in KeePassXC each identity details that should include some crafted details as mentioned earlier. 


>> Do not pick an occupation at a well-known private corporation/company as they have people in their HR departments monitoring 
activities in platforms such as LinkedIn and will report your profile as being fake if it does not match their database. Instead, pick an 





occupation as a freelancer or at a large public institution where you will face less scrutiny due to their decentralized nature. 


>> Keep track (write down) of the background stories of your Identities. You should always use the same dates and answers everywhere. 
Everything should always match up. Even the stories you tell about your imaginary life should always match. If you say you work as an 
intern at the Department of Health one day and later on another platform, say you work as an intern at the Department of 
i li=lats) ele) ace li(e)amm el=ye) e)(-manl(e|aime[6l-\-1(e)aly(ol0]mm(el> alii \VaM ={-mexe)alcyicl (ovale 


mn OL-\-W- Me liii=1c=)aim o)ale)al>malelpalel=)mie)m=y-(evam(el= ya lina @)allial=m e)t= ie) maalsme (eM <-1-) 0mm (e-(e), @e)me)alelal-malelanlel-immelct-le(>m-|aom|me)al-M(ol-yalNinv/aalelan)el-1me(=16s 
1iF-Yote[=Xo imo) mavd(e)(-lt/alem@xe)aalaalelaliavaeiel(e(>i[al=ssWe) mm [-)aaalsMe)msy=1avd(er>\oemnl mi pnl(e|alar=|fcveme(-mualoMelial-iam(e(=\aisli(>\cMUlc} ale mialomct-laa(omalelpalelcls 
flagged/banned as well. 


>> Adapt your language/writing to the identity to not raise suspicions and lower your chances of being fingerprinted by online platforms. Be 
especially careful with using pedantic words and figures of speech/quotes that could allow some people to guess your writing is very 
similar to that person with this Twitter handle or this Reddit user. See Appendix A4: Counteracting Forensic Linguistics. 


>> Always use TOTP 2FA (not SMS to prevent Sim Swapping attacks’?° and to keep your identity working when your pre-paid 
card expires) using KeePassXC when available to secure your logins to various platforms. 


>> Remember Appendix A2: Guidelines for passwords and passphrases. 


Here is also a good guide on this specific topic: https://gendersec.tacticaltech.org/wiki/index.php/Complete_manual#.22Real.22 names 
[Archive.org] 


Ifo} (Sau bantol0 r= la >M ar-hVAI are manele lo)(-milacelialem-lam=>¢lmarele(-m lal ial-merel0lalia\me)mn'.el0] me ale)(e\-m{0]0mer-|alie)xe-MUl-)/a(em-Je)-\e] | (emexelU]alial-\-m (mm => dim \(elel-tom Clare 
therefore exit countries) on Tor by editing the torrc file on the Whonix Gateway or even the Tor Browser: 


>> Whonix/Tails: Create/Edit a file /usr/local/etc/torrc.d/5@_user. conf 398. 
>> On Tor Browser: Edit the torre file located at Browser/TorBrowser/Data/Tor 2”. 
(OJalex-MV(olUm-li>mlamial>mil(-Mmny.el0mer-lame(omsal-mie)i le) ale n 
>> Specify the Exit Nodes by adding those two lines (which will require an Exit Node in China/Russia/Ukraine: 
>> ExitNodes {CH}, {RU}, {UA} 
>> StrictNodes 1 
>> Exclude specific Exit Nodes by adding this line (which will exclude all Exit Nodes from France/Germany/USA/Uk): 
>= ExcludeNodes {FR}, {DE}, {US}, {UK} 


Always use uppercase letters for any setting. 
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of available Exit Nodes here: https://www.bigdatacloud.com/insights/tor-exit-nodes A'chive.org] 


Here is the list of possibilities (this is a general list and many of those countries might not have Exit nodes at all): 
alan oXsM/AV\ =] 0m= 1k 01 T\VZo MO) K@/AW'>10)/ ai 44 OS= S11) OX) Ha FoLOM AT>1K0),40 l=] 0) o mere) ag710)(010 140M 0-1, Oo), 0royace) eerol Ul alimvaerele(=1-y) 


Checking if your Tor Exit Node is terrible: 


Skip this if you are using a VPN/Proxy over Tor (tho you can also do the same checks with a VPN exit node if you want). 
Not all Tor Exit nodes are equal. This is mostly due to what type of “exit policy” their operator applies to them. 


Some Tor Exit nodes are seen are more or less “clean” and will only show up in the Tor Exit nodes lists. Some other Tor Exit nodes are seen 
as “dirty” and will show up in dozens of various blocklists. So how do you know if you are on a clean one or a bad one? It is not that simple. 


If you are using Tor Browser Bundle (not on whonix workstation, on Tails, or on the Host/Guest OS): 


>> Go on the target website you want to sign-up for in a first tab 
>> Click the “lock” icon in the upper left corner 
>> Look at the third IP (Exit IP) you are using in that tab for that website 
>> Open anew second tab and go to https://mxtoolbox.com/blacklists.aspx 
=> Put the Exit IP from the first tab in the search box 
>> Check the amount of Blocklists the Tor Exit node is in. Ideally, it should only be in two: 
=e Dy NN LO) a 
>> DAN TOREXIT 
>> If it is in other lists, you might run into issues 
>> If the Exit Node is “clean” (in few lists), proceed to go back to the first tab and open the site you want to try a sign-up for. 


If you are using Tor Browser on the whonix workstation: 





>> Open Tor Browser 
>> Open the first tab and navigate to a site revealing your IP like https://browserleaks.com/ip 
>> Open a second tab and go to https://mxtoolbox.com/blacklists.aspx 
>> Put the Exit IP from the first tab in the search box 
>> Check the amount of Blocklists the Tor Exit node is in. Ideally, it should only be in two: 
ae DYNO) a 
>> DAN TOREXIT 
>> If itis in other lists, you might run into issues 
>> If the Exit Node is “clean” (in few lists), proceed to go back to the first tab and open the site you want to try a sign-up for. 
If you are not using Tor Browser on a guest non-whonix VM behind the whonix Gateway: 
>> Open your browser of choice 
>> Open the first tab and navigate to a site revealing your IP like https://browserleaks.com/ip 
>> Open a second tab and go to https://mxtoolbox.com/blacklists.aspx 
=> Put the Exit IP from the first tab in the search box 
>> Check the amount of Blocklists the Tor Exit node is in. Ideally, it should only be in two: 
ms DAN a k@) 3 
>> DAN TOREXIT 
>> If itis in other lists, you might run into issues 
>> If the Exit Node is “clean” (in few lists), proceed to go back to the first tab and open the site you want to try a sign-up for. 


The Real-Name System: 


Unfortunately, not using your real identity is against the ToS (Terms of Services) of many services (especially those owned by Microsoft and 
Facebook). But don’t despair, as explained in the Requirements, it’s still legal in Germany where the courts have upheld up the legality of not 


using real names on online platforms (§13 VI of the German Telemedia Act of 2007"). ake) ad0] ar-1<-) \V Am Koko Mer- lal ave) mend-Jaule(-Mr-\ MA 19m 
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https://en.wikipedia.org/wiki/Facebook_real-name_policy_controversy [ikiless] [Archive.org] 
Here are some more references about the German case for reference: 


>> https://slate.com/technology/2018/02/why-some-americans-are-cheering-germany-for-taking-on-facebooks-real-name-policy.html 
PaKeali=melce) 


>> https://www.theverge.com/2018/2/12/17005746/facebook-real-name-policy-illegal-german-court-rules [Archive.org] 
>> https://www.pcmag.com/news/german-court-rules-facebooks-real-name-policy-is-illegal Archive.org] 
>> https://www.vzbv.de/sites/default/files/downloads/2018/02/14/18-02-12_vzbv_pm_facebook-urteil_en.pdf Archive.org] 


>> https://www.pcmag.com/news/german-court-rules-facebooks-real-name-policy-is-illegal Archive.org] 


>> https://www.reuters.com/article/us-germany-facebook/german-court-rules-facebook-use-of-personal-data-illegal-idUSKBN1FW71Fl 
PaKeali=melce) 


Alternatively, you could be an adult resident of any other country where you can confirm and verify the legality of this yourself. Again, this is 
late)m(=re [=| mr-(ehVlec-eur- | ale mm r= lan male) @r-Mt-\WAVc1em Blom dall-w-l moll mel amt 


Other countries where this was ruled illegal: 
>> South Korea (see https://en.wikipedia.org/wiki/Real-name_system#South_Korea [Wikiless] [Archive.org]) 
=> If you know any other, please let me know with references in the GitHub issues. 


Some platforms are bypassing this requirement altogether by requiring a valid payment method instead (see Financial transactions:). While 
this does not directly require a real name through their ToS, this has the same results as they usually only accept mainstream (not 


Monero/Cash) payment methods (such as Visa/MasterCard/Maestro or PayPal) which do require a real-name legally as part of their KYC@42 
regulations. The result is the same and even better than a simple real-name policy you could ignore in some countries such as Germany. 


About paid services: 





If you intend to use paid services, privilege those accepting cash payments or Monero payments which you can do directly and safely while 
eX) 0) | ale Mtelelmr= ale lanaali aya 


If the service you intend to buy does not accept those but accepts Bitcoin (BTC), consider the following appendix: Appendix Z: Paying 
reTare)ahvaaelel)hVae)alial=m'd1( al =e MO (o)mr-lahvme)sal-) meray, 0)(olel0|an-18[e)’ B 


Overview: 


This section will show you an overview of the current various requirements on some platforms: 


>> Consider using the recommended tools on https://privacyguides.org !4'°"'e-°'S! for better privacy instead of the usual 
mainstream ones. 


>> Consider using the recommended tools on https://www.whonix.org/wiki/Documentation !4'"'ve-0'd] as well instead of the usual 
mainstream ones such as E-mail providers: https://www.whonix.org/wiki/E-Mail#Anonymity_Friendly_Email_Provider_List 
Pa\Keal\i=melce) 
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account. If you want to use privacy-aware tools and platforms, head on to https://privacyguides.org !4'Cn've.org] 
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>> “Maybe”: It did happen in a minority of my tests. 
>> “Likely”: It did happen in most of my tests. 
>> “Yes” or “No”: This either happened or never happened systematically in all my tests. 
=> “Easy”: The overall experience was straightforward with little to no obstacles. 
>> “Medium”: The overall experience has some obstacles, but it is still doable without too much hassle. 
>> “Hard”: The overall experience is a painful struggle with many obstacles. 
aa N/m (0) \ 0) ©) Ler] 6)(-m ol -\er- 10 h\- mn) (= Io alee oe )-s<J] 0) (COM (=S-JmnU1 (a) lam telomere) al(cyame)mialicmeleliel-) 


>> “Indirectly”: This means they do require something but indirectly through a third-party system (Financial KYC for example). 
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OnlyFans 
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ProtonVPN 
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>> See The Real-Name System for essential information. See below for details. 


Yes (for full Hard (for full 
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Yes 


Yes 





Amazon: 


>> Is this against their ToS? No, but yes https:/www.amazon.com/gp/help/customer/display.html?nodeld=202140280 [Archive.org] 
“1. Amazon Services, Amazon Software 


A. Use of Amazon Services on a Product. To use certain Amazon Services on a Product, you must have your own Amazon.com account, be 
KoYefet=Yom [am com’ (ole) mr-(exevelU|aime)amia(-M eagele[Uleiem-lale Mm at-\\(:M-MVc-I[(em er-NVQnnl-almaat-ieavee mr-t-t-Yoleir-|c-ce mide mtcelUlmr-lererole |e] am 


While it does not technically require a real name. It does require a valid payment method. Unfortunately, it will not accept “cash” or “Monero” 
as a payment method. So instead, they are relying on financial KYC (where a real-name policy is pretty much enforced everywhere). 


>> Will they require a phone number? Yes, but see below 
>> Can you create accounts through Tor? Yes, but see below 


Because of this valid payment method requirement, | could not test this. While this is seemingly not against their ToS, it is not possible within 
the context of this guide unless you manage to obtain a valid KYC payment method anonymously which AFAIK is pretty much impossible or 
extremely difficult. 


So, AFAIK, it is not possible to create an anonymous Amazon account. 


Apple: 


>> Is this against their ToS? Yes https://www.apple.com/legal/internet-services/icloud/en/terms.html [Archive.org] 
“IV. Your Use of the Service 
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complete information when you register with, and as you use, the Service (“Service Registration Data”), and you agree to update 
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>> Will they require a phone number? Yes 
>> Can you create accounts through Tor? Yes 
Note that this account will not allow you to set up an Apple mail account. For that, you will need an Apple device. 


Binance: 


>> Is this against their ToS? Yes https://www.binance.com/en/terms [A'chive.org] 
>> Will they require a phone number? No, they do require an e-mail 


>> Can you create accounts through Tor? No 





Briar: 


>> Is this against their ToS? No https://briarproject.org/privacy-policy/ [Archive.org] 
>> Will they require a phone number? No, they do not even require an e-mail 
>> Can you create accounts through Tor? Yes 


Dy Rxele) ae 


>> Is this against their ToS? No https://discord.com/terms [Atchive.org] 
>> Will they require a phone number? No, but they do require an e-mail 
>> Can you create accounts through Tor? | had no issues with that so far using the Desktop Client 
You might encounter more issues using the Web Client (Captchas). Especially with Tor Browser. 
| suggest using the Discord Client app on a VM through Tor or ideally through VPN/Proxy over Tor to mitigate such issues. 


Element: 


>> Is this against their ToS? No https://element.io/terms-of-service [Archive.org] 
>> Will they require a phone number? No, they do not even require an e-mail 
>> Can you create accounts through Tor? Yes 

Expect some Captchas during account creation on some homeservers. 


Facebook: 


>> ls this against their ToS? Yes https://www.facebook.com/terms.php [Archive.org] 
“1. Who can use Facebook 
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>> Use the same name that you use in everyday life. 
>> Provide accurate information about yourself. 
>> Will they require a phone number? Yes, and probably more later 


>> Can you create accounts through Tor? Yes, but it is very difficult and their onion address?’ will not help. In most cases, you'll just have 
a random error at sign-up and your account suspended after sign-in.” 


But this clause of their ToS is illegal in Germany (see Requirements). 


Facebook is one of the most aggressive platforms with identity verification and is pushing hard their “real name policy”. It is why this guide is 
only advised to German residents. 


Over my tests tho | was able to pinpoint a few tips: 
>> It will be easier if you have an Instagram account first. 


>> Signing up through Tor is almost impossible (even using their .onion address which is a joke) and will only succeed if you are “ very 
lucky” (| assume if you are using an exit node that is not yet known by Facebook verification systems). In most cases, it will not allow 
registration at all and will just fail with “An error has occurred during registration”. 


>> Signing up through VPNs is more likely to succeed but might still result in the same error. So, you must be ready for a lot of trial and 
error here. 


>> Signing up through a Self-Hosted VPN/Proxy is your best bet but make sure your profile/identity matches the IP geolocation. 


=> My earlier entry in the guide about the Orwellian quote from Animal Farm is in full effect on Facebook. You will experience huge 
variation in acceptance depending on age/sex/ethnicity/nationality/... This is where you will have far fewer issues if you are making an 
account of a Young European Caucasian Female. You will almost certainly fail if you try making a Middle-Aged Male where my other 
accounts are still unsuspended/unbanned to this day. 


>> Logging-in (after you sign-up) however works fine with VPN and Tor but might still trigger an account suspension for violating 
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Ideally, you should log-in back with the same IP from a self-hosted VPN/Proxy. 


| also suspect strongly based on my test that the following points have an impact on your likelihood of being suspended over time: 
>> Not having friends 
==> Not having interests and an “organic activity” 
>> Not being in the contacts of any other user 


=> Not being on other platforms (such as Instagram/WhatsApp) 





>> Restricting your profile privacy settings too soon after signing-up 


If your account gets suspended, you will need to appeal the decision through a quite simple form that will require you to submit a “proof of 
ID”. However, that proof of ID verification system is more lenient than LinkedIn and will allow you to send various documents which require far 
less Photoshop skills. 


It is also possible that they ask you to take a selfie video or picture-making certain gestures to prove your identity. If that is the case, | am 
afraid it is a dead-end for now unless you use a deepfake face swapping technique. 


If you do file an appeal, you will have to wait for Facebook to review it (| do not know whether this is automatic or human) and you will have to 
wait and hope for them to unsuspend your account. 


GitHub: 


>> Is this against their ToS? No https://docs.github.com/en/free-pro-team@latest/github/site-policy/github-terms-of-service [A’chive.org] 
>> Will they require a phone number? Nope, all good 
>> Can you create accounts through Tor? Yes, but expect some captchas 

GitHub is straightforward and requires no phone number. 

Be sure to go into Settings > E-Mail and make your e-mail private as well as block any push that would reveal your e-mail. 


GitLab: 


>> Is this against their ToS? No https://about.gitlab.com/handbook/legal/subscription-agreement/ [Archive.org] 
>> Will they require a phone number? Nope, all good 
>> Can you create accounts through Tor? Yes, but expect captchas 

GitLab is straightforward and requires no phone number. 


Google: 


>> Is this against their ToS? No https://policies.google.com/terms [A'chive.org] 

>> Will they require a phone number? Yes, they will. There is no escape here. 
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ProtonMail is good ... but to appear less suspicious, it is simply better to also have a mainstream Google Mail account. 


As ProtonMail, Google will also most likely require a phone number during sign-up as part of their verification process. However contrary to 
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folUT alate mats sign-upso ao", 


From my experience during my research, this count is limited to three accounts/phone numbers. If you are unlucky with your number (if it was 
previously used by another mobile user), it might be less. 
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to use the identity details you made up earlier (birthdate). When the account is created, please do take some time to do the following: 
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ProtonMail Address > Verify (using ProtonMail) > Go back to Gmail and set the forwarding to forward and delete Google copy > Save. 
This step will allow you to check your Google Mail using ProtonMail instead and will allow you to avoid triggering Google Security 
checks by Logging in from various VPN/Tor exit IP addresses in the future while storing your sensitive e-mail at ProtonMail instead. This 
trick will allow you to receive all the e-mails from your Gmail address on your ProtonMail (or other) address without needing to login into 
your Google account (reducing risks of it being suspended, especially if you use Tor). 


>> Enable 2FA within the Google account settings. First, you will have to enable 2FA using the phone number. Then you will see the option 
appear to enable 2FA using an Authenticator app. Use that option and set it up with a new KeePassXC TOTP entry. When it is done, 
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not have it anymore) to recover/gain access to that account. 


>> Add ProtonMail as a recovery e-mail address for the account. 
>> Remove the phone number from the account details as a recovery option. 
==> Upload a Google profile picture you made earlier during the identity creation step. 
>> Review the Google Privacy settings to disable as much as you can: 
>> Activity logging 
>> YouTube 


>> Log out and do not touch it unless needed (as mentioned, you will use ProtonMail to check your Gmail). 





Keep in mind that there are different algorithms in place to check for weird activity. If you receive any mail (on ProtonMail) prompting about a 
Google Security Warning. Click it and click the button to say, “Yes it was me”. It helps. 


Do not use that account for “sign-up with Google” anywhere unless necessary. 


Be extremely careful if you decide to use the account for Google activities (such as Google Maps reviews or YouTube Comments) as those 
can easily trigger some checks (Negative reviews, Comments breaking Community Guidelines on YouTube). 


If your account gets suspended 401 (this can happen on sign-up, after signing-up or after using it in some Google services), you can still get it 
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be deleted after a while. 


After suspension, if your Google account is restored, you should be fine. 
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be able to use it to sign-up on a different account. Be careful when using those to avoid losing them. They are precious. 
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HackerNews: 


>> Is this against their ToS? No https://www.ycombinator.com/legal/#tou Archive.org] 
>> Will they require a phone number? No, they do not even require an e-mail 


>> Can you create accounts through Tor? Yes 


Instagram: 


>> Is this against their ToS? Maybe? | am not sure https://help.instagram.com/581066165581870?ref=dp [Archive.org] 
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>> Will they require a phone number? Maybe but less likely over VPN and very likely over Tor 
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It is also possible that they ask you to take a selfie video or picture-making certain gestures to prove your identity (within the app or through 
an e-mail request). If that is the case, | am afraid it is a dead-end for now. 


It is no secret that Instagram is part of Facebook however it is more lenient than Facebook when it comes to user verification. It is quite 
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For instance, | noticed that you will face fewer issues creating a Facebook account if you already have a valid Instagram account. You should 
always create an Instagram account before trying Facebook. 
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2FA from the web for a reason | do not understand. 
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>> Upload a picture of your generated identity if you want. 
>> Go into your Settings 
>> Make the account private (initially at least) 
==> Do not show activity status 
==> Do not allow sharing 
Jami: 
>> Is this against their ToS? No https://jami.net/privacy-policy/ Archive.org] 
>> Will they require a phone number? No, they do not even require an e-mail 
>> Can you create accounts through Tor? Nope it does not work for some technical reason 
iVPN: 
>> Is this against their ToS? No https://www.ivpn.net/tos/ [Archive.org] 


>> Will they require a phone number? No, they do not even require an e-mail 





>> Can you create accounts through Tor? Yes 


Kraken: 


>> Is this against their ToS? Yes https://www.kraken.com/legal [Archive.org] 
>> Will they require a phone number? No, they do require an e-mail 
>> Can you create accounts through Tor? Yes 


LinkedIn: 


>> Is this against their ToS? Yes https://www.linkedin.com/legal/user-agreement [A'chive.org] 


“To use the Services, you agree that: (1) you must be the “Minimum Age’ (described below) or older; (2) you will only have one Linkedin 
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sixteen. “ 


But this clause of their ToS is illegal in Germany (see Requirements). 
>> Will they require a phone number? Yes, they will. 
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LinkedIn is far less aggressive than twitter but will nonetheless require a valid e-mail (preferably again your Gmail) and a phone number in 
most cases (tho not always). 


LinkedIn however is relying a lot on reports and user/customer moderation. You should not create a profile with an occupation inside a private 
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join. They can then report your profile as fake, and your profile will then be suspended or banned pending appeal. 


LinkedIn will then require you to go through a verification process that will, unfortunately, require you to send an ID proof (identity card, 


passport, driver’s license). This ID verification is processed by a company called Jumio*™ that specializes in ID proofing. This is most likely a 
dead end as this would force you to develop some strong Photoshop skills. 


Instead, you are far less likely to be reported if you just stay vague (say you are a student/intern/freelance) or pretend you work for a large 
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As with Twitter and Google, you should do the following after signing up: 
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>> Upload a picture of your identity 
Mai lFence: 
>> Is this against their ToS? No 
>> Will they require a phone number? No, but they require an e-mail 


>> Can you create accounts through Tor? Maybe. From my tests, the signing-up verification e-mails are not sent when using Tor to sign- 
up. No issues however when using a VPN over Tor or a Proxy over Tor. 


Medium: 


>> Is this against their ToS? No, unless it is about crypto https://policy.medium.com/medium-terms-of-service-9db0094a1e0f [Archive.org] 
>> Will they require a phone number? No, but they require an e-mail 
>> Can you create accounts through Tor? No issues with that so far 
Signing-in does require an e-mail every time. 
Microsoft: 
>> ls this against their ToS? Yes https://www.microsoft.com/en/servicesagreement/ [Archive.org] 


arn Oi i-y-1 1] ale m= lal a\erere] 0] almmm (olUmer-|pmeig-t-1(> = M\"/ |(eKe lve) im-\eerel6| aim o)’m-y(elaliace mel eme)aliia(smm Cole m-(elx-\-M ave) mcomel-\-M-lahvair-l(x-mm lat-lexelele-1\-mme) g 
aley(cr-Veliare Mialcolarar-iicolamudarclam-d(elaliare mel omcolm’ colli ivergey-to)imr-(exero] U1 naam 


But this clause of their ToS is illegal in Germany (see Requirements). 


>> Will they require a phone number? Likely but not always. Depending on your luck with your Tor exit node, they may only require e-mail 
verification. If you use a VPN over Tor, they will likely only ask for an e-mail. 


>> Can you create accounts through Tor? Yes, you can but expect captchas, at least e-mail verification, and likely phone verification. 





So yes, it is still possible to create an MS account without a phone number and using Tor or VPN, but you might have to cycle through a few 
exit nodes to achieve this. 


After signing up you should set up 2FA authentication within the security options and using KeePassXC TOTP. 


Mul lvad: 


>> Is this against their ToS? No https://mullvad.net/en/help/terms-service/ [Atchive.org] 
>> Will they require a phone number? No, they do not even require an e-mail. 


>> Can you create accounts through Tor? Yes. 


Njalla: 


>> Is this against their ToS? No https://njal.la/tos/ Archive.org] 
>> Will they require a phone number? No, but they do require an e-mail or an XMPP (Jabber) account somewhere. 


>> Can you create accounts through Tor? Yes, they even have a “.onion” address at 
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>> Is this against their ToS? No, they do not even have Terms of Services 
>> Will they require a phone number? No, they do not even require an e-mail 


>> Can you create accounts through Tor? Yes (obviously) 


OnlyFans: 


>> Is this against their ToS? No, it looks fine https://onlyfans.com/terms [A'chive.org] 
>> Will they require a phone number? No, they do require an e-mail 
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requires a KYC type financial transaction check. So, not very useful. 


ProtonMai|!: 


>> Is this against their ToS? No https://ProtonMail.com/terms-and-conditions A’chive.org] 


>> Will they require a phone number? Maybe. This depends on the IP you are coming from. If you come from Tor, it is likely. From a VPN, 
it is less likely. 
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be required over a VPN. They even have a “.onion” address at 
https://protonmailrmez3lotccipshtkleegetolb 7 3fuirgj 7r404vfu7ozyd.onion/. 


You obviously need an e-mail for your online identity and disposable e-mails are pretty much banned everywhere. 


ProtonMail is a free e-mail provider based in Switzerland that advocates security and privacy. 


Bi at-\var- lao asrere)anlant=alel=1e me), Privacyguides.org*”. Their only apparent issue is that they do require (in most cases) a phone number or 
another e-mail address for registration (when you try to register from a VPN or Tor at least). 


They claim they do not store/link the phone/e-mail associated with the registration but only store a hash that is not linked to the account*"®. If 
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reasonably safe from tracking. 


This e-mail account can be used for creating a Google/Gmail account. 


ProtonvPN: 


>> Is this against their ToS? No https://protonvpn.com/terms-and-conditions A’chive.org] 
>> Will they require a phone number? No, but they do require an e-mail. 
>> Can you create accounts through Tor? Yes 


Reddit: 


>> Is this against their ToS? No https://www.redditinc.com/policies Archive.org] 
>> Will they require a phone number? No, they will not. 


>> Can you create accounts through Tor? Yes 





Reddit is simple. All you need to register is a valid username and a password. Normally they do not even require an e-mail (you can skip the 
e-mail when registering, leaving it blank). 


No issues whatsoever signing up over Tor or VPN besides the occasional Captchas. 


Consider reading this reddit post: https://old.reddit.com/r/ShadowBan/comments/8a2gpk/an_unofficial_ guide_on_how_to_avoid_being/ 
[Archive.org] 


Sei Kciale(oher 


>> Is this against their ToS? Yes https://slashdotmedia.com/terms-of-use/ [A’chive.org] 
“8. Registration; Use of Secure Areas and Passwords 


Some areas of the Sites may require you to register with us. When and if you register, you agree to (a) provide accurate, current, and 
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information (including your e-mail address) to keep it accurate, current, and complete. You acknowledge that should any information provided 
by you be found to be untrue, inaccurate, not current, or incomplete, we reserve the right to terminate this Agreement with you and your 
current or future use of the Sites (or any portion thereof)”. 


>> Will they require a phone number? No 


>> Can you create accounts through Tor? Yes 


Telegram: 


>> Is this against their ToS? No https://telegram.org/tos [A’chive.org] 

>> Will they require a phone number? Yes unfortunately 

>> Can you create accounts through Tor? Yes, but sometimes you randomly get banned without any reason 
Telegram is quite straightforward, and you can download their portable Windows app to sign-up and log in. 
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In most cases, | had no issues whether it was over Tor or VPN, but | had a few cases where my telegram account was just banned for 
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They provide an appeal process through e-mail, but | had no success with getting any answer. 


Their appeal process is just sending an e-mail to recover@telegram.org !"°'ve-0rd! stating your phone number and issue and hope they 
answer. 


After signing up you should do the following: 
>> Go into Edit profile 
>> Set a Username 
>> Go into Settings (Desktop App) 
>> Set the Phone Number visibility to Nobody 
>> Set Last Seen & Online to Nobody 
>> Set Forwarded Messages to Nobody 
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Tutanota: 


>> Is this against their ToS? No https://tutanota.com/terms/ [A’chive.org] 
>> Will they require a phone number? No, but they do require an e-mail. 
>> Can you create accounts through Tor? Not really, almost all Tor Exit nodes are banned AFAIK 
Twitter: 
>> Is this against their ToS? No https://twitter.com/en/tos 
>> Will they require a phone number? They might not at sign-up, but they will just after sign-up or later. 
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Twitter is extremely aggressive in preventing anonymity on its network. You should sign-up using e-mail and password (not phone) and not 
using “Sign-in with Google”. Use your Gmail as the e-mail address. 





More than likely, your account will be suspended immediately during the sign-up process and will require you to complete a series of 
automated tests to unlock. This will include a series of captchas, confirmation of your e-mail and Twitter handle, or other information. In some 
cases, it will also require your phone number. 


In some cases, despite you selecting a text verification, the Twitter verification system will call the phone no matter what. In that case, you will 
have to pick up and hear the verification code. | suspect this is another method of preventing automated systems and malicious users from 
selling text receiving services over the internet. 


a AVYZINC=YeaNV ci ele= m= lI Malm lalce)gaarsli(e)am=lare Mila) @imcemcel6]mr-(ererel6| alm ace)|6(ol|alemyol6] am | eam =rs par=li pur>lacem e)ale)al-malelanlel-1emm Cole m/|/malelm ol-m-1e)(-miar- lm e)alelar=) 
falUlpaley>1mncomert=r- «o> Mellii-lc-lalm-(eeelulale 


Once the account is restored, you should take some time to do the following: 
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>> Enable 2FA from the security settings using a new KeePassXC TOTP entry, save the security codes in KeePassXC as well. 
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>> Disable all personalized advertising settings 
>> Disable geolocation of tweets 
==> Remove the phone number from the account 
>> Follow some people based 
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After about a week, you should check Twitter again and the chances are quite high that it will be suspended again for “suspicious activity” or 
“violating community guidelines” despite you not using it at all (not even a single tweet/follow/like/retweet or DM) but this time by another 
system. | call this the “Double-tap”. 


This time you will need to submit an appeal using a form*/ provide a good reason and wait for the appeal to be processed by Twitter. 
During that process, you may receive an e-mail (on ProtonMail) asking you to reply to a customer service ticket to prove that you do have 
access to your e-mail and that it is you. This will be directed toward your Gmail address but will arrive on your ProtonMail. 


Do not reply from ProtonMail as this will raise suspicions, you must sign in to Gmail (unfortunately) and compose a new mail from there copy- 
pasting the E-Mail, Subject, and Content from ProtonMail. As well as a reply confirming you have access to that e-mail. 


After a few days, your account should get unsuspended “for good”. No issues after that but keep in mind they can still ban your account for 
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Twitch: 


>> Is this against their ToS? No https://www.twitch.tv/p/en/legal/terms-of-service/ [Archive.org] 
>> Will they require a phone number? No, but they do require an e-mail. 
>> Can you create accounts through Tor? Yes 
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>> Is this against their ToS? Yes https://www.whatsapp.com/legal/updates/terms-of-service-eea [Archive.org] 


“Registration. You must register for our Services using accurate information, provide your current mobile phone number, and, if you 
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(from us or our third-party providers) with codes to register for our Services”. 


>> Will they require a phone number? Yes, they do. 

>> Can you create accounts through Tor? No issues with that so far. 
Achan: 

>> Is this against their ToS? No 

>> Will they require a phone number? No, they will not. 

>> Can you post there with Tor or VPN? Not likely. 


4chan is 4chan ... This guide will not explain 4chan to you. They block Tor exit nodes and known VPN IP ranges. 





You are going to have to find a separate way to post there using at least seven proxies*?® that are not known by 4chan blocking system (hint: 
Anonymous VPS using Monero is probably your best option). 
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Crypto wallets: 


Wallet. Crypto is in most cases NOT anonymous and can be traced back to you when you buy/sell any (remember the Your Cryptocurrencies 
transactions section). 
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What about those mobile-only apps (whatsApp/Signal)? 


There are only three ways of securely using those anonymously (that | would recommend). Using a VPN on your phone is not one of those 
ways. All of those are, unfortunately, “tedious” to say the least. 


>> Use an Android Emulator within the Windows VM and run the App through your multi-layer of Tor/VPN. The drawback is that such 
emulators are usually quite resource-hungry and will slow down your VM and use more battery. Here is also an (outdated) guide on this 


matter: https://www.bellingcat.com/resources/how-tos/2018/08/23/creating-android-open-source-research-device-pc/ [Archive.org] As for 
myself, | will recommend the use of: 


>> Android-x86 on Virtualbox (see https://www.android-x86.org/documentation/virtualbox.html Archive.orgl) that you can also set up 
easily. 


>> AnBox (https://anbox.io !"°'’*-0'S!) that you can also set up rather easily including on the Whonix Workstation, see 
httos://www.whonix.org/wiki/Anbox [Archive.org] 


>> Not recommended: Using a non-official app (such as Wassapp for WhatsApp) to connect from the Windows VM to the app. Use at 
your own risk as you could get banned for violating the terms of services by using a non-official App. 
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Tethering/Sharing of the connection through Wi-Fi. | will not detail this here, but it is an option. 


There is no way to reliably set a decent multi-layered connectivity approach easily on an Android phone (it is not even possible on IOS as far 
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Anything else: 
You should use the same logic and security for any other platform. 
It should work in most cases with most platforms. The hardest platform to use with full anonymity is Facebook. 


This will obviously not work with banks and most financial platforms (such as PayPal or Crypto Exchanges) requiring actual real official and 
existing identification. This guide will not help you there as this would be illegal in most places. 


How to share files privately and/or chat anonymously: 


There are plenty of messaging apps everywhere. Some have excellent Ul and UX and terrible Security/Privacy. Some have excellent 
Security/Privacy but terrible Ul and UX. It is not easy to pick the ones that you should use for sensitive activities. So, this section will help you 
fofom talela 


Before going further, there are also some key basic concepts you should understand: 


End-to-end Encryption: 


409 ( 


End-to-end Encryption aka e2ee) is a rather simple concept. It just means only you and your destination know each-others public 


encryption keys and no one in between that would be eavesdropping would be able to decrypt the communication. 





However, the term is often used differently depending on the provider: 


>> Some providers will claim e2ee but forget to mention what is covered by their protocols. For instance, is metadata also protected within 
their e2ee protocol? Or is it just the content of the messages? 


>> Some providers do provide e2ee but only as an opt-in option (disabled by default). 
>> Some providers do offer e2ee with 1 to 1 messaging but not with group messaging. 


==> Some providers will claim the use of e2ee, but their proprietary apps are closed source where no one can verify the claim and the 
strength of the encryption used. 


For these reasons, it is always important to check the claims of various apps. Open-Source apps should always be preferred to verify what 
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Roll your own crypto: 
See the Bad Cryptography section at the start of this guide. 
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published and peer-reviewed academically). Again, this is harder to verify with closed-source proprietary apps. 


It is not that rolling your own crypto is bad in essence, it is that good cryptography needs real peer-reviewing, auditing, testing... And since 
you are probably not a cryptanalyst (and | am not one either), chances are high we are not competent to assess the cryptography of some 


apps. 


Forward Secrecy: 


Forward Secrecy*!9 (FS aka PFS for Perfect Forward Secrecy) is a property of the key agreement protocol of some of those messaging 
apps and is a companion feature of e2ee. This happens before you establish communication with the destination. The “Forward” refers to the 
future in time and means that every time you establish a new e2ee communication, a new set of keys will be generated for that specific 
session. The goal of forward secrecy is to maintain the secrecy of past communications (Sessions) even if the current one is compromised. If 
an adversary manages to get hold of your current e2ee keys, that adversary will then be limited to the content of the single session and will 
not be able to easily decrypt past ones. 


This has some user experience drawbacks like for instance, a new device could not be able to conveniently access the remotely stored chat 
history without additional steps. 
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More on this topic on this YouTube video: https://www.youtube.com/watch?v=zSQtyW_ywZc [!nvidious] 


Some providers and apps claiming to offer e2ee do not offer FS/PFS sometimes for usability reasons (group messaging for instance is more 
complex with PFS). It is therefore important to prefer open-source apps providing forward secrecy to those that do not. 


Zero-Access Encryption at rest: 


Zero-Access Encryption*"' at rest is used when you store data at some provider (let us say your chat history or chat backups) but this history 
or backup is encrypted on your side and cannot be read or decrypted by the provider hosting it. 


Zero-Access encryption is an added feature/companion to e2ee but is applied mainly to data at rest and not communications. 
Examples of this issue would be iMessage and WhatsApp, see the Your Cloud backups/sync services at the start of this guide. 


So again, it is best to prefer Apps/Providers that do offer Zero-Access Encryption at rest and cannot read/access any of your data/metadata 
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Metadata Protection: 


Remember the Your Metadata including your Geo-Location section. End-to-end Encryption is one thing, but it does not necessarily protect 
your metadata. 


For Instance, WhatsApp might not know what you are saying but they might know who you are talking to, how long and when you have been 
talking to someone, who else is in groups with you, and if you transferred data with them (such as large files). 


End-to-end Encryption does not in itself protect an eavesdropper from harvesting your metadata. 


This data can also be protected/obfuscated by some protocols to make metadata harvesting substantially harder for eavesdroppers. This is 
the case for instance with the Signal Protocol which does offer some added protection with features like: 


>> The Sealed Sender option*!?. 
>> The Private Contact Discovery‘ '*. 


>> The Private Group System*!°. 





Other Apps like Briar or OnionShare will protect metadata by using the Tor Network as a shield and storing everything locally on-device. 
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Most apps however and especially closed-source proprietary commercial apps will collect and retain your metadata for various purposes. 
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Open-Source: 


Finally, Open-Source apps should always be preferred because they allow third parties to check actual capabilities and weaknesses vs 
claims of marketing departments. Open-Source does not mean the app should be free or non-commercial. It just means transparency. 


Comparison: 


Below you will find a small table showing the state of messaging apps as of the writing of this guide based on my tests and data from the 
various sources below: 


>> Wikipedia, https://en.wikipedia.org/wiki/Comparison_of_instant_messaging_protocols [Wikiless] [Archive.org] 

>> Wikipedia, https://en.wikipedia.org/wiki/Comparison_of_cross-platform_instant_messaging_clients !Wkiless] [Archive.org] 
>> Secure Messaging Apps https://www.securemessagingapps.com/ [Archive.org] 

>> ProtonMail Blog, https://protonmail.com/blog/whatsapp-alternatives/ [Archive.org] 

>> Whonix Documentation, Instant Messenger Chat https://www.whonix.org/wiki/Chat [Archive.org] 


>> Have a look at https://securechatguide.org/featuresmatrix.html A’chive.org] which is also a good comparison table for messaging apps. 


>> Messenger-Matrix.de at https://www.messenger-matrix.de/messenger-matrix-en.html [Archive.org] 
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1. Briar Documentation, Bramble Transport Protocol version 4 https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BTP.md 
[Archive.org], 5 


2. Serpentsec, Matrix https://web.archive.org/web/https://serpentsec. 1337 .cx/matrixe@ 


3. Wikipedia, GnuTLS, https://en.wikipedia.org/wiki/GnuTLS [ikiless] [Archive.org]_, 





4. KTH ROYAL INSTITUTE OF TECHNOLOGYSCHOOL OF ELECTRICAL ENGINEERING, A Security and Privacy Audit of KakaoTalk’s 
End-to-End Encryption www.diva-portal.org/smash/get/diva2:1046438/FULLTEXT01.paf [Archive.org]_. 


5. Wikipedia, OTR https://en.wikipedia.org/wiki/Off-the-Record_Messaging !ikiless] [Archive.org]_, 

6. Pidgin Security Advisories, https://www.pidgin.im/about/security/advisories/ A"chive.org]_, 

7. Whonix Forum, Tox Integration https://forums.whonix.org/t/tox-qtox-whonix-integration/1219 [Archive.org] 

8. Telegram Documentation, MTProto Mobile Protocol https://core.telegram.org/mtproto [Archive.org]_, 

9. Wikipedia, Telegram Security Breaches, https://en.wikipedia.org/wiki/Telegram_(software)#Security_breaches !ikiless] [Archive.org]_, 


10. TechCrunch, Maybe we shouldn’t use Zoom after all, https://techcrunch.com/2020/03/31/zoom-at-your-own-risk/ [Archive.org] 


11. The Incercept, Zoom Meetings Aren't End-to-End Encrypted, Despite Misleading Marketing https://theintercept.com/2020/03/31/zoom- 
meeting-encryption/ [Tor Mirror] [Archive.org],, 


12. Serpentsec, Secure Messaging: Choosing a chat app https://web.archive.org/web/https://serpentsec. 1337.cx/secure-messaging- 
choosing-a-chat-app~- 


Legend: 


1. The mention “preferred” or “avoid” refers to the use of those apps for sensitive communications. This is just my opinion, and you can 
make your own using the resources above and others. Remember “Trust but verify”. 


2. e2ee refers to “end-to-end encryption” 

3. Additional steps might be needed for securing Tor Connectivity 

4. Their ability and willingness to fight for privacy and not cooperate with various adversaries 
5. Only the client apps are open-source, not the server-side apps 


6. This means the data is fully encrypted at rest (and not only during transit) and unreadable by any third party without a key you only 
know (including backups) 


7. Unverifiable because it is proprietary closed source. 
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9. Jami will require you to enable DHTProxy in their options to work and it will be limited to text only. 
10. Session also uses their own Onion Routing solution called LokiNet 
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methods such as Cash/Monero. 


Conclusion: 


Remember: Appendix B1: Checklist of things to verify before sharing information. 


| will recommend these options in that order (as also recommend by Privacyguides.org* !©"41/ 


except for Session and Cwtch): 
>> macOSs: 
>> Native Tor Onion Routing Support (preferred): 
>> OnionShare version >2.3 (https://onionshare.org/ [Tor Mirror] [Archive.org])«« 
>> Cwtch (https://cwtch.im /'Ch've-0'd] warning, this is at the alpha/beta stage)** 
>> Non-Native Tor Support (needs additional steps for ideal anonymity to proxy it through Tor through Virtualization or Proxying): 
>> Element/Matrix.org (https://element.io/ Archive.org]) 
>> Jami (https://jami.net/ Archive.org])« 
>> Gajim/XMPP (https://gajim.org/ Archive.org]) 
>> Windows: 
>> Native Tor Onion Routing Support (preferred): 
>> OnionShare version >2.3 (https://onionshare.org/ !"0r Mirror] [Archive.org])+ 
>> Cwtch (https://cwtch.im /'Ch've-0'g] warning, this is at the alpha/beta stage)** 


>> Non-Native Tor Support (needs additional steps for ideal anonymity to proxy it through Tor through Virtualization or Proxying): 


>> Element/Matrix.org (https://element.io/ Archive.org}) 





>> Jami (https://jami.net/ Archive.org])s 
>> Gajim/XMPP (https://gajim.org/ Archive.org]) 
>> Linux: 


>> Native Tor Onion Routing Support (preferred): 
>> Briar (https://briarproject.org/ Archive.org])« 
>> OnionShare version >2.3 (https://onionshare.org/ !"0r Mirror] [Archive.org])+« 
>> Cwtch (https://cwtch.im !'Ch've-0'g] warning, this is at the alpha/beta stage)** 
>> Non-Native Tor Support (needs additional steps for ideal anonymity to proxy it through Tor through Virtualization or Proxying): 
>> Element/Matrix.org (https://element.io/ Archive.org}) 
>> Jami (https://jami.net/ Archive.org])« 


>> Gajim/XMPP (https://gajim.org/ Archive.org]) 


>> Note that for Jami to work over Tor, you will have to enable the local DHTProxy option within Jami Settings. This will only work for text 
laal=tstor-(e[=s>¥r-|ale mm arel@n (©) mers lI YAVALe=10)<9) 


leis \(o)(o¥n (at= lmm tal sxs{>me) 6) (0) a=W (Ja T-] eam Once Mar=| 010m @)al(e)ateyal-ln-) elem alo) m-10]e)efo)amanle)inire(-\\/(e(-1-mV(-] eum COLO] mm [alco)aaar-lile)am (omciia leit hymciie)a-1e mela mtal= 
device/OS where you are setting it up. Do not use those on a non-persistent OS unless you want ephemeral use. 


Any safe options for mobile devices? Yes, but these are not endorsed/recommended except Briar on Android. Remember also that 
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>> Android: 
>> Briar (https://briarproject.org/ A’chive.org]) 


>> Cwtch (https://cwtch.im /A'C"'ve-0'd] warning, this is at the alpha/beta stage) 
>> iOS: 


>> Due to the lack of any better option and while it is normally not recommended: Session Messenger: https://getsession.org/ 
[Archive.org] Why is it not recommended these days within the privacy community? Well, it is because they recently*'® dropped 
two key security features from their protocol: Perfect Forward Secrecy and Deniability which are considered rather essential in 


most other apps. Yet Session has been audited*'9 with satisfactory results but that audit does not mention these changes. We 
also currently lack sufficient information on LokiNet (the Onion Routing Network used by Session) to endorse it. Session is still 
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While | do not recommend most of the messaging platforms for the various reasons outlined above (phone number and e-mail requirements), 
this does not mean it is not possible to use them anonymously if you Know what you are doing. You can use even Facebook Messenger 
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The ones that are preferred are recommended due to their stance on privacy, their default settings, their crypto choices but also because 
iuaro\var= lice aexeland=yall=yalmr=lalelanzpacelelomyie arse] eM Uivarelul mece)iale maa) nelele|amiat>maat-lanvamar=tss)(=some) mi ar=\V/ale m= elale)al-malelanlelsieisraaar-liMvcsvaliler-lielamant-viarelem=lale 
are open source. 


Those should be privileged in most cases. Yes, this guide has a discord server, and a Twitter account despite those not being recommended 
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Signal if possible. 


How to share files publicly but anonymously: 
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Consider the following platforms: 


=> Cryptpad.fr (https://cryptpad.fr/): Free tier limited to 1GB total and recommended by PrivacyGuides.org at 
https://privacyguides.org/providers/cloud-storage/ [Archive.org] 


>> AnonArchive (https://anonarchive.org/): free tier limited to 1GB total 


>> Filen (https://filen.io/): free tier limited to 10GB total 





Consider the use of IPFS*2': 
>> Pinata (https://www.pinata.cloud/): Free tier limited to 1GB total 


Redacting Documents/Pictures/Videos/Audio safely: 
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For all these purposes here are a few recommendations: 
>> Ideally, you should not use proprietary software such as Adobe Photoshop, Microsoft Office... 
>> Preferably, you should use open-source software instead such as LibreOffice, Gimp... 
While the commercial alternatives are feature-rich, they are also proprietary closed-source and often have various issues such as: 
>> Sending telemetry information back to the company. 
==> Adding unnecessary metadata and sometimes watermarks to your documents. 
>> These apps are not free, and any leak of any metadata could be traced back to you since you had to buy these somewhere. 


It is possible to use commercial software for making sensitive documents, but you should be extra careful with all the options in the various 
Apps (commercial or free) to prevent any data leak from revealing information about you. 


Here is a comparative table of recommended/included software compiled from various sources (PrivacyGuides.org, Whonix, Tails, Prism- 
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basis. 


Offline Document . . . LibreOffice, 
Editi Me) g=1@ ni (ex~) NTEAN LibreOffice* Me) c=1@)i(ex=) 
iting Notepad++ 
Oiavjejiey-lemin iaVjejiey-lemin 
Loyal itat=m BXexer Ui nat-Jals 
=tolidtate] NEN OiaVjejiey-lomin Etherpad.org, Etherpad.org, 
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Pictures Ealing | Flameshot (L) | a a tn GIMP GIMP 
PNUTolfom mtelidiare| Audacity PNA NIA Audacity Audacity 
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O)Iiem a) 

WA Tel=tom =tolidiare (oye) t= re (om (me) 
OpenShot (?) 
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LibreOffice, 
PDF Redaction naa N/A NIA pace 
Dea ee PDF-Redact Tools (L) 


Legend: * Not recommended but mentioned. N/A = Not Included or absence of recommendation for that software type. (L)= Linux Only but 
can maybe be used on Windows/macOS through other means (HomeBrew, Virtualization, Cygwin). (?)= Not tested but open-source and 
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Files/Documents/Pictures). 


Communicating sensitive information to various known organizations: 
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If you must do so, you should take some steps because you cannot trust any organization to protect your anonymity*22. See Appendix B1: 
Checklist of things to verify before sharing information. 


423 ( 


For this, | strongly recommend the use of SecureDrop https://securedrop.org/ !4’chive.orgl) which is an open-source project from the 
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>> Do take a moment to their read their “source guide” here: https://docs.securedrop.org/en/stable/source.html [Archive.org] 


>> Ideally, you should use SecureDrop over Tor and you will find a curated list of those here https://github.com/alecmuffett/real-world- 
onion-sites#securedrop [Archive.org] 
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Without SecureDrop you could consider: 
>> Using e-mail with GPG encryption provided your recipient has published a GPG key somewhere. You can look this up here: 
==> On their verified Social Media accounts (Twitter) if they provided it. 
>> On https://keybase.io (Tor address http://keybase5wmilwokgirssclfnsqrjdsi7jdirswy7y7iu3tanwmtp6oid.onion) 
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>> https://pgp.mit.edu/ 
>> https://keyserver.ubuntu.com/ 
>> https://keys.openpgp.org 
>> Using any other platform (even Twitter DMs) but again using GPG to encrypt the message for the recipient. 
What you should avoid IMHO: 


==> Do not send physical materials using the post due to the risk of leaving DNA/Fingerprints or other traceable information (see Cash-Paid 
VPN (preferred)). 


>> Do not use methods linked to a phone number (even a burner one) such as Signal/WhatsApp/Telegram. 
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>> Do not leak any clues about your real identity when exchanging messages. 
>> Do not meet people in real life unless you have absolutely no other option (this is a last resort option). 
If you intend to break your anonymity to protect your safety: 
>> Assess the risks very carefully first. 
>> Inform yourself carefully on the legality/safety of your intent and the consequences for you and others. Think about it carefully. 
>> Possibly reach out to a trusted lawyer before doing so. 
Maintenance tasks: 
>> You should sign-up carefully into your accounts from time to time to keep them alive. 
==> Check your e-mail regularly for security checks and any other account notification. 


>> Check regularly the eventual appearance of compromise of any of your identities using https://haveibeenpwned.com/ [A'chive.org] 
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Offline Backups: 


These backups can be done on an external hard drive or a USB key. Here are the various possibilities. 


Selected Files Backups: 


Requirements: 





For these back-ups, you will need a USB key or an external hard drive with enough storage capacity to store the files you want to back up. 


Veracrypt: 


For this purpose, | will recommend the use of Veracrypt on all platforms (Linux/Windows/macOS) for convenience, security, and portability. 
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The process is fairly simple and all you will need is to follow Veracrypt tutorial here: 


https://www.veracrypt.fr/en/Beginner%27s%20Tutorial.html Archive.org] 
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container. 
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Hidden File containers with plausible deniabi lity: 


The process is also fairly simple and similar to the earlier tutorial except for this time you will use the Veracrypt wizard to create a Hidden 
Veracrypt Volume instead of a Standard Veracrypt Volume. 


You can create a Hidden volume within an existing Standard Volume or just use the wizard to create a new one. 


Let us say you want a container of 8GB, the Wizard will first create an “outer volume” where you will be able to store decoy information when 
prompted. Some decoy files (somewhat sensible, plausible but not what you want to hide) should be stored in the decoy volume. 


Then Veracrypt will ask you to create a smaller hidden container (for instance 2GB or 4GB) within the outer volume where you can store your 
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Hidden volume. 
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volume password on the same screen. Then mount the decoy volume. This will protect the hidden volume from being overwritten when 
changing the decoy files. This is also explained here in Veracrypt documentation: 


https://www.veracrypt.fr/en/Protection%200f%20Hidden%20Volumes.html [Archive.org] 
Be extremely cautious with these file containers: 


>> Do not store multiple versions of them or store them anywhere where some versioning is being done (by the file system or 
the storage system). These file containers should be identical everywhere you store them. If you have a backup of such 
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recommendations here https://www.veracrypt.fr/en/Security%20Requirements%20for%20Hidden%20Volumes.html !Archive.org], 
Remember the Local Data Leaks and Forensics: section. 


>> | strongly recommend storing such containers on external USB keys that you will only mount from your guest VMs and never from your 
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assets before you could update the keys from having multiple versions of the containers that could lead to proving the existence of 
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existence of hidden data. 


>> If you are mounting the hidden volume from your Host OS (not recommended), you should erase all traces of this hidden volume 
everywhere after use. There could be traces in various places (system logs, file systems journaling, recent documents in your 
applications, indexing, registry entries...). Refer to the Some additional measures against forensics section of this guide to remove such 
artifacts. Especially on Windows. Instead, you should mount them on your Guest VMs. With Virtualbox for instance, you could take a 
snapshot of the VM before opening/working the hidden volume and then restore the snapshot before opening/working on it after use. 
This should erase the traces of its presence and mitigate the issue. Your Host OS might keep logs of the USB key being inserted but 
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>> Do not store these on external SSD drives if you are not sure you can use Trim on them (see the Understanding HDD vs SSD section). 


Full Disk/System Backups: 





TLDR version: Just use Clonezilla as it worked reliably and consistently with all my tests on all operating systems except for Macs 
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>> (Not recommended) Doing your backup from the live operating system using a backup utility (commercial utilities such as EaseUS Todo 
Free, Macrium Reflect...) or native utilities like macOS Time Machine, QubesOS Backup, Ubuntu Déja Dup, or Windows Backup...). 


=> This backup can be done while the Operating System is running. 


>> This backup will not be encrypted using the disk encryption but using the Backup utility encryption algorithm (which you will have 
to trust and cannot really control for most). Alternatively, you could encrypt the backup media yourself separately (for instance with 
Veracrypt). | am not aware of any free or non-free utility that natively supports Veracrypt. 


>> Some utilities will allow for differential/incremental backups instead of full backups. 


>> These backup utilities will not be able to restore your encrypted drive as-is as they do not support those encrypted file systems 
natively. And so, these will require more work to restore your system in an encrypted state (re-encryption after restoring). 


>> (Recommended) Doing it offline from a boot drive (Such as with the free open-source Clonezilla). 
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>> This backup will back up the encrypted disk as-is and therefore will be encrypted by default with the same mechanism (it is more 
like a fire and forget solution). The restore will also restore the encryption as-is and your system will immediately be ready to use 
after a restore. 
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>> This method is the easiest to manage. 


| made extensive testing using live backups utilities (Macrium Reflect, EaseUS Todo Reflect, Déja Dup...) and personally | do not think it is 
worth it. Instead, | would recommend that you periodically back up your system with a simple Clonezilla image. It is much easier to perform, 
much easier to restore, and usually works reliably without issues in all cases. And contrary to many beliefs, it is not that slow with most 
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earlier section. 


Requirements: 


You will need a separate external drive with at least the same or more free space available than your source disk. If your laptop has a 250GB 
disk. You will need at least 250GB of free disk space for the full image backup. Sometimes this will be reduced significantly with compression 
by the backup utility but as a safety rule, you should have at least the same or more space on your backup drive. 


Some general warnings and considerations: 
>> If you use Secure Boot, you will need a backup utility that supports Secure Boot which includes Clonezilla AMD64 versions. 


==> Consider the use of exFAT as the file system for your backup drives as those will provide better compatibility between various OSes 
(macOS, Linux, and Windows) vs NTFS/HFS/ext4... 
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UBUNTU (OR ANY OTHER DISTRO OF CHOICE): 
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methods you could use for this purpose. 


So, you should follow the steps in Appendix E: Clonezilla 


QUBESOS: 


Qubes OS recommends using their own utility for backups as documented here https://www.qubes-os.org/doc/backup-restore/ [A’chive.org] 
But it is just a hassle and provides limited added value unless you just want to back up a single Qube. So instead, | am also recommending 
just making a full image with Clonezilla which will remove all the hassle and bring you back a working system in a few simple steps. 


So, you should follow the steps in Appendix E: Clonezilla 
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| will only recommend the use of the open-source and free Clonezilla utility for this purpose. There are commercial utilities that offer the same 
functionality, but | do not see any advantage in using any of them vs Clonezilla. 


Some warnings: 


>> If you use Bitlocker for encryption with TPM*4 enabled, you might need to save your Bitlocker Key (safely) somewhere as well as this 
might be needed to restore your drive if your HDD/SSD or other hardware parts changed. Another option would be to use Bitlocker 





without the use of TPM which would not require this option. But again, | do not recommend using Bitlocker at all. 


>> You should always have a backup of your Veracrypt rescue disk at hand somewhere to be able to resolve some issues that might still 
appear after a restore. Remember this rescue disk does not contain your passphrase or any sensitive information. You can store it as 
is. 


>> If you changed the HDD/SSD after a failure, Windows 10 may refuse to boot if your hard drive ID is changed. You should also save this 
ID before backing up as you might need to change the ID of the new drive as Windows 10 might require a matching ID before booting. 
See Appendix F: Diskpart 
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Follow the steps in Appendix E: Clonezilla 


macOS: 


| would recommend just using the native Time Machine backup with encryption (and a strong passphrase that could be the same as your OS) 
as per the guides provided at Apple: https://support.apple.com/en-ie/guide/mac-help/mh21241/mac A’chive.org] and 
https://support.apple.com/en-ie/guide/mac-help/mh11421/11.0/mac/11.0 [Archive.org], 


So, plug in an external drive and it should prompt you to use it as a Time Machine backup. 


b COLUM a Toler rom ale\iY(-\1(:) mere) ar-diel-Vamcolarar-laiiare maaltcMelaiv(-M-\-M->@o-WM-Yom dit-1 Mia M-1 {fom UL-y- 10] (=m ohVmre) daly Ole -s-Merol ah-Val(-Tal thm Oa iareconu iyi mLalep.4) 


without added software using this guide: https://support.apple.com/en-ie/guide/disk-utility/dskutl1010/mac A'chive.org] 
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you will be also able to use this disk for backing up other devices. 


It is possible to also use Clonezilla to clone your Mac Hard Drive, but it could bring hardware compatibility issues and probably will not add 
much in terms of security. So, for macOS, | am not specifically recommending Clonezilla. 


Online Backups: 


Files: 


This is a tricky one. The problem is that it depends on your threat model. 
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should never store them on any platform where you do not have full control over the deletion process as the platform will most likely 
have backups of previous versions for some time. And again, these previous versions could allow forensics to prove the existence of 
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untouched compared to any local version). 


>> If you use normally encrypted backups without plausible deniability, you could store them pretty much anywhere if they are properly 
encrypted locally before uploading (for example with Veracrypt, using strong passphrases and encryption). Do not ever trust the 
Yate aY/ elitolame)m-lameyalilac-m e)ce) diel) mm Olal him iael-jmvcolel men’ dam Corer-1M-Vaterays eld(o)am@Urcyialem(-1e-(ela's el mmce) ml atcyr-laler:) MO) mlalctc(oMer- [io MAOL0 
(oxo) 0] (ol=} (0) x= mvZ0]0] am o-(61,40] okom O)a>1NNVmAnLU ei aMr-laNVAVUAl=1K>m [ams al=m- (evere] 0] al toMe)my(ol0] me)alilal-mlelsvalii(=ssm (1@1(0]0\0 mm @rolole|(-m BD) alV.- Wm D)g0)0) 10) Game MIM lal \Var= | i>) 
strongly encrypted locally before uploading. But you could also prefer privacy caring services such as Cryptpad.fr (1GB). 


Obviously do not ever do/access those backups from unsecured/unsafe devices but only from the secure environments, you picked before. 
Self-hosting: 

Self-hosting (using Nextcloud for instance) is also a possibility provided you do have an anonymous hosting 

Please see Appendix A1: Recommended VPS hosting providers. 


Please also consider Appendix B2: Monero Disclaimer. 


Cloud-hosting: 


For smaller files, consider: 


>> Cryptpad.fr (https://cryptpad.fr/): Free tier limited to 1GB total and recommended by PrivacyGuides.org at 
https://privacyguides.org/providers/cloud-storage/ [Archive.org] 


>> AnonArchive (https://anonarchive.org/): free tier limited to 1GB total 
>> Filen (https://filen.io/): free tier limited to 10GB total 
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If you do intend to store sensitive data on “mainstream platforms” (Dropbox, Google Drive, OneDrive...), remember not to ever store 
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there. Either with software like Veracrypt or with a software like Cryptomator (https://cryptomator.org/). Do not ever upload non-encrypted 
files on those platforms and repeating myself, only access them from a secure shielded VM. 
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If you just want to save information (text), | will recommend the use of secure and private pastebins“2°. Mostly | will stick to the ones 


recommended by PrivacyGuides.org (https://privacyguides.org/providers/paste/ !Archive.org] ) - 
>> https://privatebin.info/ 
>> https://cryptpad.fr/pad/ 
On these providers, you can just create a password-protected pad with the information you want to store. 


Just create a pad, protect it with a password and write your info in it. Remember the address of the pad. 


Synchronizing your files between devices Online: 


To that, the answer is very simple and a clear consensus for everyone: https://syncthing.net/ [A"chive.org] 


Just use SyncThing, it is the safest and most secure way to synchronize between devices, it is free and open-source, and it can easily be 
used in a portable way without install from a container that needs syncing. 


Covering your tracks: 


Understanding HDD vs SSD: 
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If you intend to wipe your whole HDD laptop, the process is rather straightforward. The data is written at a precise location on a magnetic 
(hard) platter (why it is called a hard drive) and your OS knows precisely where it is on the platter, where to delete it, and where to overwrite it 
for secure deletion using simple processes (like just overwriting that location over and over until no traces are left). 


On the other hand, if you are using an SSD drive, the process is not as simple as the drive uses several internal mechanisms to extend its 
lifespan and performance. Three of those processes are of particular interest when it comes to us in this guide. SSD drives are divided 
themselves into two main categories: 


>> ATA Drives (usually SATA and usually 2.5” format as the image above). 
>> NVMe Drives (usually M.2 format as the illustration below). 


Here are examples of the most common formats: 
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The methods and utilities to manage/wipe them will vary depending on the type of drive you are using. So, it is important you know which one 
you have inside your laptop. 
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Wear-Leveling. 


These drives use a technique called wear leveling*2°. At a high level, wear leveling works as follows. The space on every disk is divided into 
blocks that are themselves divided into pages, like the chapters in a book are made of pages. When a file is written to disk, it is assigned to a 
certain set of pages and blocks. If you wanted to overwrite the file in an HDD, then all you would have to do is tell the disk to overwrite those 
blocks. But in SSDs and USB drives, erasing and re-writing the same block can wear it out. Each block can only be erased and rewritten a 
limited number of times before that block just will not work anymore (the same way if you keep writing and erasing with a pencil and paper, 
eventually the paper might rip and be useless). To counteract this, SSDs and USB drives will try to make sure that the number of times each 
block has been erased and rewritten is about the same so that the drive will last as long as possible (thus the term wear leveling). As a side 
effect, sometimes instead of erasing and writing the block, a file was originally stored on, the drive will instead leave that block alone, mark it 
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electronics of the disk, so the operating system does not even realize it has happened. This means, however, that even if you try to overwrite 
a file, there is no guarantee the drive will actually overwrite it, and that’s why secure deletion with SSDs is so much harder. 


Wear-leveling alone can therefore be a disadvantage for security and an advantage for adversaries such as forensics examiners. This 
feature makes classic “secure deletion” counter-productive and useless and is why this feature was removed on some Operating Systems 
like macOS (as from version 10.11 El Capitan) where you could enable it before on the Recycle Bin. 


Most of those old secure deletion utilities were written with HDD in mind and have no control over wear-leveling and are completely pointless 
when using an SSD. Avoid them on an SSD drive. 


Trim Operations: 
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Ubuntu, Qubes OS...). 


If Trim operations are not done regularly (or at all), then the data is never deleted pro-actively and at some point, all the blocks and pages will 
be occupied by data. Your OS will not see this and will just see free space as you delete files, but your SSD controller will not (this is called 
Write PNinvediiivercit(ela mane F This will then force the SSD controller to erase those pages and blocks on the fly which will reduce the write 
performance. This is because while your OS/SSD can write data to any free page in any bock, erasure is only possible on entire blocks, 
therefore, forcing your SSD to perform many operations to write new data. Overwriting is just not possible. This will defeat the wear-leveling 
system and cause performance degradation of your SSD over time. Every time you delete a file on an SSD, your OS should issue a Trim 

(oxo) anlaat=laremr-lce)aleMuiliaM (al=me(-)(-18(@)am com (-1mla(-Moto) Bmore) aline)|(=1em @ale)vmlarom oy-lel-t-mere)alr-lialialemial=mil(>Wel=1t-mr-lt-m ale) min-\-mie)me(>\(-19(0)0 8 


So, Trim itself does not delete any data but just marks it for deletion. Data deleted without using Trim (if Trim has been 
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OS sees at free space. But it might stick around for a bit longer than if you use Trim. 


Here is an illustration from Wikipedia showing how it works on an SSD drive: 
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be overwritten until the whole last step is garbage collection 
block is erased. 





As you can see in the above illustration, data (from a file) will be written to the four first pages of Block X. Later new data will be written to the 
remaining pages and the data from the first files will be marked as invalid (for instance by a Trim operation when deleting a file). As explained 


olan guia ey: Jia.c n_(compt Wixiless] |ArCniVe.Org]. the erase operation can only be done on entire blocks (and not on 
single pages). 
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Read After Trim” or “Deterministic Zeroes After Trim”. This means that if an adversary tries to read data from a trimmed page/block and 
so) gat=al@)wamaatelar=(e(=ssm (ome |tst-1e)(-mel-lger-le[-mexe)i(-\e1lle)ammialcmere)alice)|()mm\71|malelma-vi0/aam-lan\maatcy-lalialevie)mer-lt- 


SU aliam cm colelar-libvar-lacem—jalelelrom-l\ i hVe-mm ol M-Var-lel(-Lomual-lamerdiarem-lamero) Pela hi(:M-lalem-jacelll(oMeyii:)m-1Ui pi (el(-1a] mi u-¥-l-Yo) ar-le)(-™ eo) ge) \-Yerd (eo) a Myavalem alls 


is also the reason you should not use Veracrypt Plausible deniability on a Trim enabled SSD as this feature is incompatible with Trim’<”. 
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Garbage collection’’~ is an internal process running within your SSD drive that looks for data marked for erasure. This process is done by 
the SSD controller, and you have no control over it. If you go back to the illustration above, you will see that Garbage collection is the last 
step and will notice that some pages are marked for deletion in a specific block, then copy the valid pages (not marked for deletion) to a 
different free destination block and then will be able to erase the source block entirely. 
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collection is one of the processes that will actually erase data from your SSD drive permanently. 
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So, the fact is that it is very unlikely*’ '’*’* and difficult for a forensic examiner to be able to recover data from a Trimmed SSD but it is not 


completely impossible either” if they are fast enough and have access to extensive equipment, skills, and motivation* 


Within the context of this guide which also uses full disk encryption. Deletion and Trim should be reasonably secure enough on any SSD 
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How to securely wipe your whole Laptop/Drives if you want to erase 
everything: 





NUKE IT FROM ORBIT 





IT'S THE ONLY WAY TO BE 
SURE 
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So, you want to be sure. To achieve 100% secure deletion on an SSD drive, we will need to use specific SSD techniques (If you are using an 
HDD drive, skip this part and go to your OS of choice): 


>> Easy options for less experienced users: 
>> If available, just use the Secure Erase option available from your BIOS/UEFI (ATA/NVME Secure Erase or Sanitize). 


>> Just re-install a fresh operating system (delete/quick format the drive) and re-encrypt it. The full disk encryption process should 
erase all previous data from the disk. 


>> Buy PartedMagic*?’ for 11$ and use it to erase any disk. 
>> Technical options for more advanced users: 


>> ATA/NVMe Secure Erase: This method will remove the mapping table that keeps track of allocated data on the storage Blocks but 
does not destroy the actual data. 


>> ATA/NVMe Sanitize Crypto Scramble (aka Instant Secure Erase, Crypto Erase), which applies to self-encrypting SSD drives: This 
method will change the encryption key of the self-encrypting SSD drive and render all the data stored in it unreadable. 


>> ATA/NVMe Sanitize Block Erase: This method performs an actual block erase on every storage block and will destroy the data 
and change the encryption key if present. 
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erase and then overwrite every storage block (it is the same as Block Erase but will overwrite data in addition). This method is 
overkill and not necessary IMHO. 


>> Physical Destruction: 

>> HDDs: 
>> Open the drive (with a screwdriver, usually Torx T8) 
>> Remove platters (with a screwdriver, usually Torx T6) 
>> Rub the platters with a rare earth magnet 
>> Break/Deform/Crush the platters 
>> Burn them 
>> Separate the debris 
==> Throw away in separate places 

>> SSDs: 
>> Open the drive 
>> Break/Crush the board and memory cells 
>> Burn them 
>> Separate the debris 


>> Throw away in separate places 


>> Bonus: See https://www.youtube.com/watch?v=-bpX8YvNg6yY l!nvidious] 


For maximum overkill paranoia security, Sanitize Block Erase option should be preferred but Secure Erase is probably more than enough 


when considering your drive is already encrypted. Unfortunately, are no free easy (bootable with a graphical menu) all-in-one tools available 
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and you will be left with either going with drive manufacturers provided tools, the free manual hdparm*’° , and nvme-cli*’” utilities or going 


with a commercial tool such as PartedMagic. 


This guide will therefore recommend the use of the free utilities hdparm and nvme-cli using a Live System Rescue system. 





If you can afford it, just buy Parted Magic for 11$ which provides an easy-to-use graphical tool for wiping SSD drives using the option of your 


choice440744 1, 
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(ATA/NVMe Secure Erase or ATA/NVMe Sanitize). If this is available, you should use that, and the following steps will not be 
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Linux (all versions including Qubes OS): 
System/Internal SSD: 


>> Option A: Check if your BIOS/UEFI has a built-in option to do so and if it does, use the correct option (“ATA/NVMe Secure Erase” or 
“ATA/NVMe Sanitize”). Do not use wipe with passes on an SSD drive. 


>> Option B: See Appendix D: Using System Rescue to securely wipe an SSD drive. 


>> Option C: Wipe your disk and re-install Linux with new full disk encryption to overwrite all sectors with new encrypted data. This 
atcadakete mim el-Mc-1eele) \vm-}Co\wmexelatley-la:(emcemO@) ojirelaw-W-lalem=m-M im TI M-yCon Uh men :lay Ua it-mcolel mm’ date) (-Mots) DRWANCYommalel(-Maat-lmdalcmunl(e ais 
ako) Mol-Mdat-Mel-ir-lelimey:lar-M ale] mu ial-amerdiarem mC] .Gomm ColUmaal(e lal mar-\Z-Mcomedal-Xer @idal- Me) eli(e)amcom-|(-Yom-Jalela'geimaal-M-100] Nm) ey-(er- ce) maa (3 
effectively wipe the drive. 
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wear-leveling mechanisms might prevent this from working properly. 


External SSD: 


First please see Appendix K: Considerations for using external SSD drives 
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https://wiki.archlinux.org/index.php/Solid_state_drive#Trim_an_entire_device [A’chive.org] 


If your USB controller and USB SSD disk support Trim and ATA/NVMe secure erase, you could wipe them cautiously using hdparm using the 
same method as the System Disk above except you will not install Linux on it obviously. Keep in mind tho that this is not recommended (see 
Considerations above). 


If it does not support Trim and/or ATA secure erase, you could (not securely) wipe the drive normally (without passes like an HDD) and re- 
encrypt it completely using your utility of choice (LUKS or Veracrypt for instance). The full disk decryption and re-encryption process will 
overwrite the entirety of the SSD disk and should ensure a secure wipe. 
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ensure secure deletion (this can be done with BleachBit https://www.bleachbit.org/download/linux /A'C"'ve.°rg] or from the command line using 


secure-delete using this tutorial https://superuser.com/questions/19326/how-to-wipe-free-disk-space-in-linux [Archive.org]), 
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wear-leveling mechanisms might prevent this from working properly. 


Internal/System HDD: 


>> Option A: Check if your BIOS/UEFI has a built-in option and use them and if it does, use the correct option (Wipe + Passes in the case 
(o) r= 1a |B) BDF 


>> Option B: See Appendix |: Using ShredOS to securely wipe an HDD drive 


>> Option C: Wipe your disk and re-install Linux with new full disk encryption to overwrite all sectors with new encrypted data. This 
method will be terribly slow compared to Option A and B as it will slowly overwrite your whole HDD. 


External/Secondary HDD and Thumb Drives: 
=> > Option A: Follow one of these tutorials: 
>> https://linuxhint.com/completely_wipe_hard_drive_ubuntu/ [Archive.org] 
>> https://linoxide.com/linux-command/commands-wipe-disk-linux/ Archive.org] 
>> https://wiki.archlinux.org/index.php/Securely_wipe_disk A’chive.org] 
| recommend using dd or shred for this purpose. 


>> Option B: Install and use BleachBit https://www.bleachbit.org/download/linux A"ve-org] or follow this EFF tutorial 
https://ssd.eff.org/en/module/how-delete-your-data-securely-linux [Archive.org] 


>> Option C: See Appendix |: Using ShredOS to securely wipe an HDD drive 
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Unfortunately, you will not be able to wipe your Host OS using the Microsoft built-in tools within the settings. This is because your bootloader 
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System/Internal SSD: 


>> Option A: Check if your BIOS/UEFI has a built-in option to do so and if it does, use the correct option (“ATA/NVMe Secure Erase” or 
“ATA/NVMe Sanitize”). Do not use wipe with passes on an SSD drive. 


>> Option B: Check Appendix J: Manufacturer tools for Wiping HDD and SSD drives. 
>> Option C: See Appendix D: Using System Rescue to securely wipe an SSD drive. 


==> Option D: Wipe your disk and re-install Windows before performing new full disk encryption (using Veracrypt or Bitlocker) to overwrite 
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wear-leveling mechanisms might prevent this from working properly. 


External SSD: 
First please see Appendix K: Considerations for using external SSD drives 


Use the manufacturer-provided tools if possible. Those tools should provide support for safe secure erase or sanitize over USB and are 
available for most brands: See Appendix J: Manufacturer tools for Wiping HDD and SSD drives. 


If you are not sure about the Trim support on your USB disk, (not securely) wipe it normally (simple quick format will do) and then encrypt the 
disk again using Veracrypt or Bitlocker. The full disk decryption and re-encryption process will overwrite the entirety of the SSD disk and 
should ensure a secure wipe. 
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ensure secure deletion (this can be done with BleachBit or PrivaZer free space erase options). See Extra Tools Cleaning. 
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wear-leveling mechanisms might prevent this from working properly. 


Internal/System HDD: 
>> Option A: Check if your BIOS/UEFI has a built-in option to do so and if it does, use the correct option (Wipe + Passes). 
>> Option B: Check Appendix J: Manufacturer tools for Wiping HDD and SSD drives 
>> Option C: See Appendix |: Using ShredOS to securely wipe an HDD drive 
External/Secondary HDD and Thumb Drives: 
>> Option A: Check Appendix J: Manufacturer tools for Wiping HDD and SSD drives 
>> Option B: Use external tools such as: 
>> Eraser (open-source): https://eraser.heidi.ie/download/ !Archive.org] 
>> KillDisk Free: http://killdisk.com/killdisk-freeware.htm [Archive.org] 
>> Option C: See Appendix |: Using ShredOS to securely wipe an HDD drive 


macOSs: 
System/Internal SSD: 


Unfortunately, the macOS Recovery disk utility will not be able to perform a secure erase of your SSD drive as stated in Apple documentation 
https://support.apple.com/en-gb/guide/disk-utility/dskutl14079/mac [Archive.org], 


In most cases, if your disk was encrypted with Filevault and you just perform a normal erase, it should be “enough” according to them. It is 
not according to me, so you have no option besides re-installing macOS again and re-encrypt it with Filevault again after re-installing. This 
should perform a “crypto erase” by overwriting your earlier install and encryption. This method will be quite slow, unfortunately. 


If you want to do a faster secure erase (or have no time to perform a re-install and re-encryption), you can try using the method described in 
Appendix D: Using System Rescue to securely wipe an SSD drive (This will not work on M1 Macs). Be careful tho as this will also erase 
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External SSD: 
First please see Appendix K: Considerations for using external SSD drives 


If your USB controller and USB SSD disk support Trim and ATA secure erase, and if Trim is enabled on the disk by macOS, you can just wipe 
idal=m'2ale)(=me ls), quale) aant=liNvar= lace mer=1e-M>)a(el0] (0m ale)m el- mm c-\ere)'/-18-16)(-me)ama>(er-)a1mel (o.com 
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them again using these two tutorials from Apple: 


>> https://support.apple.com/guide/disk-utility/erase-and-reformat-a-storage-device-dskutl14079/mac [Archive.org] 





>> https://support.apple.com/guide/disk-utility/encrypt-protect-a-storage-device-password-dskutl35612/mac [Archive.org] or using Veracrypt 
10] | melts), @=yalera/)((e) ap 


The full disk re-encryption process will overwrite the entirety of the SSD disk and should ensure a secure wipe. 
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wear-leveling mechanisms might prevent this from working properly. 


External HDD and Thumb Drives: 
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secure erase option from Disk Utility which should work fine on HDD and Thumb drives. 


How to securely delete specific files/folders/data on your HDD/SSD and 
Thumb drives: 


The same principles from the earlier chapters apply to this one. The same issues arise too. 


With an HDD drive, you can securely delete files by just deleting them and then apply one or more “passes” to overwrite the data in question. 
This can be done with many utilities on all OSes. 


With an SSD drive, however, again everything becomes a bit complicated because you are never sure anything is really deleted due to wear 

leveling, reliance on the Trim operation, and garbage collection of the drive. An adversary that has the decryption key of your SSD (whether it 
is LUKS, Filevault 2, Veracrypt, or Bitlocker) could unlock your drive and then attempt a recovery using classic recovery Miallitt-‘smmeete- Tale Merelel 6 

succeed if the data were not trimmed properly. But this is again highly unlikely. 


Since the Trim operation is not continuous on most recent hard drives but scheduled, simply forcing a Trim operation should be enough. But 
again, the only way to be 100% sure a file is securely deleted from your unlocked encrypted SSD is to again overwrite all the free space after 
deletion of the files in question or to decrypt/re-encrypt the drive. But this is overkill and not necessary. A simple disk-wide Trim should be 
sufficient. 


Remember tho that no matter the deletion method you use for any file on any medium (HDD drive, SSD, USB Thumb drive). It will 
probably leave other traces (logs, indexing, shellbags ...) within your system and those traces will also need to be cleaned. Also, 
remember that your drives should be fully encrypted and so this is most likely an extra measure. More on that later in the Some 
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System/Internal SSD drive: 
At this stage, and just delete the file permanently (empty the recycle bin) and trim/garbage collection will do the rest. This should be sufficient. 


If you do not want to wait for the periodic Trim (set to Weekly by default in Windows 10), you could also force a disk-wide Trim using the 
Windows native Optimize tool (see Appendix H: Windows Cleaning Tools). 


If data were deleted by some utility (for instance by Virtualbox when reverting a snapshot), you could also issue a disk-wide Trim to clean 
relaNataliacemaslaarelialialeMmOrsiiare Mial=mst-1pa(-m@)e)i|gn174>m Cele) B 


Just open Windows Explorer, Right Click on your System Drive and click Properties. Select Tools. Click Optimize and then Optimize again to 
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You can optimize your drives to help your computer run more efficiently, or analyze them to find out if they need 
to be optimized. Only drives on or connected to your computer are shown. 


Status 








| Drive Media type Last analyzed oro... Current status 


| Se Windows (C:) Solid state drive 26/01/2021 21:02 OK (0 days since last retrim) 


Optimize 


Scheduled optimization 


On Change settings 
Drives are being analyzed on a scheduled cadence and optimized as ne... 


Frequency: Weekly 





If you want more security and do not trust the Trim operation, then you will have no option but to either: 


>> Decrypt and re-encrypt (using Veracrypt or Bitlocker) the whole drive to overwrite all free space after data deletion. This will ensure 
overwriting of all the free space. 


>> Trim and then fill up the entire free space of the disk using a utility such as BleachBit or PrivaZer. 
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wear-leveling mechanisms might prevent this from working properly. 


Internal/External HDD or a USB Thumb Drive: 


Please refer to FeV alo e)(e1.@r- Multi iavm el-110)e>¥e(e)|ale m= lal-r- (eR 
The process is quite simple depending on the tool you picked from the Appendix: 
>> Right-click a file/folder: 
>> PrivaZer: Delete without a trace 


>> BleachBit: Shred with BleachBit (or see this tutorial from the EFF 
) 
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using Eraser / KillDisk as instructed previously. 
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First please see 


If Trim is supported and enabled by Windows for your external SSD drive. There should be no issue in securely deleting data normally just 
with normal delete commands. Additionally, you could also force a Trim using the Windows native Optimize tool (see 


): 


Just open Windows Explorer, Right Click on your System Drive and click Properties. Select Tools. Click Optimize and then Optimize again to 
force a Trim. You are done. That is probably enough in my opinion. 
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>> Filling up all the free space after any deletion (using BleachBit or PrivaZer for instance). 





>> Decrypt and Re-encrypt the disk with a different key after each deletion (using Veracrypt or Bitlocker). 
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wear-leveling mechanisms might prevent this from working properly. 


Linux (Cnon-Qubes OS): 
System/Internal SSD drive: 


WIUlSjmm ol-yanar-lalsralinvacelsy (sccm (atom il(=m C=] ale m=100] ©) NmnKvener(>m 6)/ab -lale mlm) acel0] (0M ol-MU)ale-\ere)\-)e-16)(-mel0(-m(Omm Nalaame)el-ve-10(@)alow-|alemel-lser-le (ome) (-\e1lle)an 


If you do not want to wait for the periodic Trim (set to Weekly by default in Ubuntu), you could also force a disk-wide Trim by running fstrim 
--all from a terminal. This will issue an immediate trim and should ensure sufficient security. This utility is part of the util-linux package 
(ony BI=\0)F=Tayh@lo)0)a 140 mr-lace mes) acele] (om el-Mlats)r-)|(=10M o)yme(>1c-10]|me)al m-10 (6) ¢-B 


If you want more security and do not trust the Trim operation, then you will have no option but to either: 


>> Decrypt and re-encrypt (using LUKS for instance following this tutorial https://wiki.archlinux.org/index.php/dm- 


crypt/Device_encryption#Re-encrypting_devices !'ch've.orgl) the whole drive to overwrite all free space after data deletion. This will 
ensure overwriting of all the free space. 


>> Trim using fstrim --all and then fill up the entire free space of the disk using a utility such as: 


>> BleachBit https://www.bleachbit.org/download/linux Archive.org] 
>> Install secure-delete package and use sfill on the root of the drive: 
>> sudo sfill -1 -1 / forinstance should do the trick (this will take a substantial amount of time) 


>> Use the old school dd method (taken from this answer https://superuser.com/questions/19326/how-to-wipe-free-disk-space-in- 
linux lArchive.org}) run these commands on the drive you want to fill: 


>> dd if=/dev/zero of=zero.small.file bs=1024 count=102400 
== dd if=/dev/zero of=zero.file bs=1024 

==> sync ; sleep 6@ ; sync 

>> rm zero.small.file 

a | =) oe a 
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wear-leveling mechanisms might prevent this from working properly. 


Internal/External HDD drive or a Thumb Drive: 


==> You can do this the graphical way with BleachBit following this tutorial from the EFF: https://ssd.eff.org/en/module/how-delete-your- 
data-securely-linux [Archive.org] 


>> Or you can do this from the command line following this tutorial: https://linuxhint.com/completely_wipe hard_drive_ubuntu/ A'chive.org] 
(For this purpose | recommend wipe and shred). 


External SSD drive: 


First please see Appendix K: Considerations for using external SSD drives 


If Trim is supported and enabled by your Linux Distribution for your external SSD drive. There should be no issue in securely deleting data 
normally and just issue an fstrim --all from the terminal to trim the drive. This utility is part of the “util-linux” package on Debian/Ubuntu 
and should be installed by default on Fedora. 
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using a utility such as: 


>> Decrypt and re-encrypt (using LUKS using this tutorial https://wiki.archlinux.org/index.php/dm-crypt/Device_encryption#Re- 


encrypting. devices !4"Ch've-orgl or Veracrypt from the graphical interface for instance) the whole drive to overwrite all free space after 
data deletion. This will ensure overwriting of all the free space. 


>> Fill the free space using one of those methods: 
>> BleachBit https://www.bleachbit.org/download/linux Archive.org] 
>> Install secure-delete package and use sfill on the root of the drive: 
>> sudo sfill -1 -1 / forinstance should do the trick (this will take a substantial amount of time) 


>> Use the old school dd method (taken from this answer https://superuser.com/questions/19326/how-to-wipe-free-disk-space-in- 


linux Archive.org}) run these commands: 


>> dd if=/dev/zero of=zero.small.file bs=1024 count=102400 





>> dd if=/dev/zero of=zero.file bs=1024 
==> sync ; sleep 6@ ; sync 

>> rm zero.small.file 

=> rm zero.file 
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wear-leveling mechanisms might prevent this from working properly. 


Linux (Qubes OS): 
System/Internal SSD drive: 


As with other Linux distros, normal deletion and trim should be sufficient on most SSD drives. So just permanently delete the file (and empty 
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Community/Contents/blob/master/docs/configuration/disk-trim.md [Atchive.org] 
As with other Linux Systems, if you want more security and do not trust the Trim operation then you will have no option but to either: 


==> Decrypt and re-encrypt the whole drive to overwrite all free space after data deletion. This will ensure overwriting of all the free space. | 
(offol aM milavemr- a=) \t-1e)(-mc0]@)ar-|ie)am ale)’ mo me(omialicMct-1i-)\/ae)pm G10] 0-1. Olom olU lalla (om oles-t-)]e)(-Mralim(Uice)ar-]meelelOMNVe)E.@ 


https://wiki.archlinux.org/index.php/dm-crypt/Device_encryption#Re-encrypting_devices !’ch've-org] (at your own risk, this has not been 
tested yet). 


>> Refer to this Documentation (https://github.com/Qubes-Community/Contents/blob/master/docs/configuration/disk-trim.md [Archive.org]) 
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>> BleachBit https://www.bleachbit.org/download/linux [Archive.org] 
>> Install secure-delete package and use sfill on the root of the drive: 
>> sudo sfill -1 -1 / forinstance should do the trick (this will take a substantial amount of time) 


>> Use the old school dd method (taken from this answer https://superuser.com/questions/19326/how-to-wipe-free-disk-space-in- 
linux A*chive.org}) run these commands on the drive you want to fill: 


== dd if=/dev/zero of=zero.small.file bs=1024 count=102400 
== dd if=/dev/zero of=zero.file bs=1024 

>> sync ; sleep 6@ ; sync 

>> rm zero.small.file 

>> rm zero.file 
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wear-leveling mechanisms might prevent this from working properly. 


Internal/External HDD drive or a Thumb Drive: 


Use the same method as Linux from a Qube connected to that specific USB device 


>> You can do this the graphical way with BleachBit following this tutorial from the EFF: https://ssd.eff.org/en/module/how-delete-your- 
data-securely-linux [Archive.org] 


>> Or you can do this from the command line following this tutorial: https://linuxhint.com/completely_wipe hard_drive_ubuntu/ A'chive.org] 
(For this purpose | recommend wipe and shred). 


External SSD drive: 


First please see Appendix K: Considerations for using external SSD drives 


If Trim is supported and enabled by your Linux Distribution for your external SSD drive. There should be no issue in securely deleting data 
normally and just issue a “fstrim —all” from the terminal to trim the drive. Refer to this Documentation (https://github.com/Qubes- 


Community/Contents/blob/master/docs/configuration/disk-trim.md [A'chive.org]) tg enable trim on a drive. 
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using a utility from a Qube connected to the USB device in question: 


>> Decrypt and re-encrypt (using LUKS using this tutorial https://wiki.archlinux.org/index.php/dm-crypt/Device_encryption#Re- 


encrypting devices !4"eh've-orgl or Veracrypt from the graphical interface for instance) the whole drive to overwrite all free space after 
data deletion. This will ensure overwriting of all the free space. 


=> Fill the free space using one of those methods: 


>> BleachBit https://www.bleachbit.org/download/linux [Archive.org] 





>> Install secure-delete package and use sfill on the root of the drive: 
>> sudo sfill -1 -1 / for instance should do the trick (this will take a substantial amount of time) 


==> Use the old school dd method (taken from this answer https://superuser.com/questions/19326/how-to-wipe-free-disk-space-in- 
linux Archive.org}) run these commands: 


==> dd if=/dev/zero of=zero.small.file bs=1024 count=102400 
>> dd if=/dev/zero of=zero.file bs=1024 
Repeat these steps on any other partition if there are separate partitions on the same SSD drive before deleting the files. 
==> sync ; sleep 6@ ; sync 
=> rm zero.small.file 
>> rm zero.file 
Repeat these steps on any other partition if there are separate partitions on the same SSD drive. 
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wear-leveling mechanisms might prevent this from working properly. 


macOSs: 
System/Internal SSD drive: 
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>> If your file system is APFS, you do not need to worry about Trim, it happens asynchronously as the OS writes data*49 


oforeUlaalsvairciilelar 
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“Does Apple File System support TRIM operations? 


Yes. TRIM operations are issued asynchronously from when files are deleted or free space is reclaimed, which ensures that these operations 
are performed only after metadata changes are persisted to stable storage”. 


>> If your file system is HFS+, you could run First Aid on your System Drive from the Disk Utility which should perform a Trim operation in 
the details (https://support.apple.com/en-us/HT210898 [Archive.org]) 


Running First Aid on “Macintosh HD” 


First Aid process is complete, click Done to continue. 


¥ Hide Details 

Checking catalog hierarchy. 

Checking extended attributes file. 

Checking volume bitmap. 

Checking volume information. 

Trimming unused DIocks. 

The volume Macintosn HD appears to be OK. 

File system check exit code is 0. 

Updating boot support partitions for the volume as required. 
Operation successful. 





System/Internal, External HDD drive or a Thumb Drive: 


Unfortunately, Apple has removed the secure erase options from the trash bin even for HDD drives*4*. So, you are left with using other tools: 


>> Permanent Eraser http://www.edenwaith.com/products/permanent%20eraser/ [Archive.org] 


>> From the terminal, you can use the “rm —P filename” command which should erase the file and overwrite it as explained in this EFF 
tutorial https://ssd.eff.org/en/module/how-delete-your-data-securely-macos [Atchive.org] 


In the case of USB thumb drives, consider wiping them completely using Disk Utility as instructed previously. 


=> G@ul=) al at= 0 MenstS Dre | am AV, = 


First please see Appendix K: Considerations for using external SSD drives 





If Trim is supported and enabled by macOS for your external SSD drive. There should be no issue in securely deleting data. 
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>> Filling up all the free space after any deletion using the Linux Method above (dd). 


>> Decrypt and Re-encrypt the disk with a different key after each deletion (using Disk Utility or Veracrypt). 
Some additional measures against forensics: 


Note that the same SSD issue discussed in the earlier section will arise here. You can never really be 100% sure your SSD data is deleted 
when you ask it to do so unless you wipe the whole drive using specific methods above. 


| am not aware of any 100% reliable method to delete single files selectively and securely on SSD drives unless overwriting ALL the free 
space (which might reduce the lifespan of your SSD) after Deletion + Trim of these files. Without doing that, you will have to trust the SSD 
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after a Deletion with Trim. 


In addition, most of these measures here should not be needed since your whole drive should be encrypted and therefore your data should 
not be accessible for forensic analysis through SSD/HDD examination anyway. So, these are just “bonus measures” for weak/unskilled 
adversaries. 


Consider also reading this documentation if you’re going with Whonix https://www.whonix.org/wiki/Anti-Forensics_Precautions A’chive.org] ag 


well as their general hardening tutorial for all platforms here https://www.whonix.org/wiki/System_Hardening_ Checklist A”cn've-org] 
Removing Metadata from Files/Documents/Pictures: 


Pictures and videos: 


On Windows, macOS, and Linux | would recommend ExifTool (https://exiftool.org/ A''ve-°'s!) and/or ExifCleaner (https://exifcleaner.com/ 


[Archive.org]) that allows viewing and/or removing those properties. 
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EXIFCLEANER: 
Just install it from https://exifcleaner.com/ !A’chive.org] run and drag and drop the files into the GUI. 
EXIFTOOL: 
It is actually simple, just install exiftool and run: 
==> To display metadata: exiftool filename. jpg 
>> To remove all metadata: exiftool -All= filename. jpg 
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WINDOWS NATIVE TOOL: 


Here is a tutorial to remove metadata from a Picture using OS provided tools: https://www.purevpn.com/internet-privacy/how-to-remove- 
metadata-from-photos [Archive.org] 


CLOAKING/OBFUSCATING TO PREVENT PICTURE RECOGNITION: 


Consider the use of Fawkes https://sandlab.cs.uchicago.edu/fawkes/ !Archive.org] (https://github.com/Shawn-Shan/fawkes [A'chive.orgl) to cloak 
the images from picture recognition tech on various platforms. 


Or if you want online versions, consider: 
>> https://lowkey.umiacs.umd.edu/ lArchive.org] 
>> https://adversarial.io/ Archive.org] 

PDF Documents: 
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Consider using https://github.com/kanzure/pdfparanoia !4"CM've.org] which will remove metadata and watermarks on any PDF. 


G1 Ol PN | ol. @ NN LUD GANA BLO) NISYANN@LO S94 010]5] =ts10)S9 I 
Just install it from https://exifcleaner.com/ !’chive.org] run and drag and drop the files into the GUI. 
EXIFTOOL CLINUX/WINDOWS/MACOS/QUBESOS) : 
It is actually simple, just install exiftool and run: 
>> To display metadata: exiftool filename. pdf 


>> Toremove all metadata: exiftool -All= filename. pdf 





MS Office Documents: 


First, here is a tutorial to remove metadata from Office documents: https://support.microsoft.com/en-us/office/remove-hidden-data-and- 


personal-information-by-inspecting-documents-presentations-or-workbooks-356b7b5d-7 7af-44fe-a07f-9aa4d085966F [A'chive.org] Make sure 
however that you do use the latest version of Office with the latest security updates. 


Alternatively, on Windows, macOS, Qubes OS, and Linux | would recommend ExifTool (https://exiftool.org/ !A'"'ve-0's!) and/or ExifCleaner 


(https://exifcleaner.com/ !4’chive.orgl) that allows viewing and/or removing those properties 


EXIFCLEANER: 
Just install it from https://exifcleaner.com/ !’chive.org] run and drag and drop the files into the GUI. 
EXIFTOOL: 
It is actually simple, just install exiftool and run: 
>> To display metadata: exiftool filename.docx 
>> To remove all metadata: exiftool -All= filename.docx 


Libreoffice Documents: 


>> select Files in the upper menu 
>> Select Properties 
==> Uncheck “Apply User Data” 
>> Uncheck “Save Preview image with the Document” 
>> Click “Reset Properties” 
>> Make sure there is nothing on the Description and Custom Properties tabs 
>> Select Tools in the upper menu 
= mnel-)(-(618 ©) 0)1(0)a\-) 
>> Select Security 
>> Click “Security Options and Warning” 
=> Check: 
>> “When printing” 
>> “When saving or sending” 
>> “When creating PDF files” 


>> “Remove personal information on saving” 


In addition, on Windows, macOS, Qubes OS, and Linux | would recommend ExifTool (https://exiftool.org/ A''ve-orsl) and/or ExifCleaner 


(https://exifcleaner.com/ !4’chive.org]) that allows viewing and/or removing additional properties 


EXIFCLEANER: 
Just install it from https://exifcleaner.com/ !’chive.org] run and drag and drop the files into the GUI. 
EXIFTOOL: 
It is actually simple, jut install exiftool and run: 
>> To display metadata: exiftool filename.odt 
>> To remove all metadata: exiftool -All= filename.odt 
All-in-one Tool: 


Another option good tool IMHO to remove metadata from various documents is the open-source mat2 recommended by privacyguides.org**° 


(https://Oxacab.org/jvoisin/mat2 A""'ve-0rg}) which you can use on Linux quite easily. | never managed to make it work properly within 
Windows due to various dependencies issues despite the provided instructions. It is however very straightforward to install and use on Linux. 


So, | would suggest creating a small Debian VM within Virtualbox (behind your Whonix Gateway) which you can then use from your other 
VMs to analyze various files from a convenient web interface. For this see Appendix L: Creating a mat2-web guest VM for removing 
nas) (-\or-1k-Miceleamil(os= 





Remove metadata 


The file you see is just the tip of the iceberg. Remove the hidden metadata. 
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Matz2 is also pre-installed on the Whonix Workstation VM"? and available on Tails by default 


Tails: 


Tails is great for this; you have nothing to worry about even if you use an SSD drive. Shut it down and it is all gone as soon as the memory 
(ol Yer= Wie 


whonix: 


Note that it’s possible to run Whonix in Live mode leaving no traces when you shut down the VMs, consider reading their documentation here 


and here 


macOS: 
Guest OS: 


Revert to an earlier snapshot on Virtualbox (or any other VM software you are using) and perform a Trim command on your Mac using Disk 
Utility by executing a first-aid on the Host OS again as explained at the end of the next section. 


Host OS: 
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QUARANTINE DATABASE (USED BY GATEKEEPER AND XPROTECT) : 


macOS (up to and including Big Sur) keeps a Quarantine SQL Database of all the files you ever downloaded from a Browser. This database 
is located at ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2. 
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~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 "select * from LSQuarantineEvent" 
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:>>~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV2 


>> Run the following command to lock the file and prevent further download history from being written there: sudo chflags schg 
~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsvV2 


Lastly, you can also disable Gatekeeper altogether by issuing the following command in the terminal 
> 10 (6 (0 me) 0 on ool ME | 1-01 =) a y-] on 
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In addition to this convenient database, each saved file will also carry detailed file system HFS+/APFS attributes showing for instance when it 
was downloaded, with what, and from where. 


You can view these just by opening a terminal and typing mdls filename and xattr -1 filename on any downloaded file from any 
browser. 


To remove such attributes, you will have to do it manually from the terminal: 





>> Run xattr -d com.apple.metadata:kMDItemWhereFroms filename to remove the origin 
>> You can also just use -dr to do it recursively on a whole folder/disk 

>> Run xattr -d com.apple.quarantine filename to remove the quarantine reference 
>> You can also just use -dr to do it recursively on a whole folder/disk 

>> Verify by running xattr --1 filename and there should be no output 
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not aware of any convenient tool that will deal with those at the moment. 


Fortunately, there are some mitigations for avoiding this issue in the first place as these attributes and entries are set by the browsers. So, | 
tested various browsers (On macOS Catalina, Big Sur, and Monterey), and here are the results as of the date of this guide: 


Browser Quarantine DB Entry Quarantine File Attribute Origin File Attribute 


Safari (Private Window) 


Firefox (Normal) 


Firefox (Private Window) 


Chrome (Normal) 


Chrome (Private Window) 


Brave (Normal) Partial (timestamp only) 
Brave (Private Window) Partial (timestamp only) 
Brave (Tor Window) Partial (timestamp only) 


Tor Browser 





As you can see for yourself the easiest mitigation is to just use Private Windows. These do not write those origin/quarantine attributes and do 
not store the entries in the QuarantineEventsV2 database. 


Clearing the QuarantineEventsV2 is easy as explained above. Removing the attributes takes some work. Brave is the only tested browser 
tari MUTI malelM-j co) coma aves-X--lacglolelc-t-mo)vmel:)r-lelimlamale)aeit-lme) el-1e-1ireite 


VARIOUS ARTIFACTS: 
In addition, macOS keeps various logs of mounted devices, connected devices, known networks, analytics, documents revisions... 


See this section of this guide for guidance on where to find and how to delete such artifacts: https://github.com/drduh/macOS-Security-and- 
Privacy-Guide#metadata-and-artifacts [Archive.org] 


Many of those can be deleted using various commercial third-party tools but | would personally recommend using the free and well-known 


Onyx which you can find here: https://www.titanium-software.fr/en/onyx.html [Archive.org] Unfortunately, it is closed-source, but it is notarized, 
signed, and has been trusted for many years. 


FORCE A TRIM OPERATION AFTER CLEANING: 
>> If your file system is APFS, you do not need to worry about Trim, it happens asynchronously as the OS writes data. 


>> If your file system is HFS+ (or any other than APFS), you could run First Aid on your System Drive from the Disk Utility which should 
perform a Trim operation in the details (https://support.apple.com/en-us/HT210898 [Archive.org])_ 





Running First Aid on “Macintosh HD” 


First Aid process is complete, click Done to continue. 


¥ Hide Details 


Checking catalog hierarchy. 

Checking extended attributes file. 

Checking volume bitmap. 

Checking volume information. 

Trimming unused bDiocks. 

The volume Macintosn HD appears to be OK. 

File system check exit code is 0. 

Updating boot support partitions for the volume as required. 
Operation successtul. 





Linux (Qubes OS): 


Please consider their guidelines https://github.com/Qubes-Community/Contents/blob/master/docs/security/security-guidelines.md [Archive.org] 
If you are using Whonix on Qubes OS, please consider following some of their guides: 
>> Whonix System Hardening guide https://www.whonix.org/wiki/System_Hardening_ Checklist A"cn've-org] 
>> Enabling App Armor on Qubes https://www.whonix.org/wiki/Qubes/AppArmor [Archive.org] 
>> Also, consider the use of Linux Kernel Guard https:/Awww.whonix.org/wiki/Linux_Kernel_Runtime_Guard_LKRG A'chive.org] 
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Guest OS: 


Revert to an earlier snapshot of the Guest VM on Virtualbox (or any other VM software you are using) and perform a trim command on your 
laptop using fstrim --all. This utility is part of the util-1linux package on Debian/Ubuntu and should be installed by default on Fedora. 
Then switch to the next section. 


Host OS: 


Normally you should not have traces to clean within the Host OS since you are doing everything from a VM if you follow this guide. 
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https://github.com/sundowndev/covermyass [Archive.org] 


After cleaning up, make sure you have the fstrim utility installed (should be by default on Fedora) and part of the util-linux package on 
Debian/Ubuntu. Then just run fstrim --all onthe Host OS. This should be sufficient on SSD drives as explained earlier. 


Consider the use of Linux Kernel Guard as an added measure https://www.whonix.org/wiki/Linux_Kernel_ Runtime _Guard_ LKRG [Archive.org] 
Windows: 
Guest OS: 


Revert to an earlier snapshot on Virtualbox (or any other VM software you are using) and perform a trim command on your Windows using 
the Optimize as explained at the end of the next section 


Host OS: 


Now that you had a bunch of activities with your VMs or Host OS, you should take a moment to cover your tracks. Most of these steps 
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decoy/plausible traces of sensible but not secret activities available for your adversary. If everything is clean, then you might raise 
suspicion. 
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>> After each use of your Windows devices, go into Settings, Privacy, Diagnostic & Feedback, and Click Delete. 


Then let us re-randomize the MAC addresses of your Virtual Machines and the Bluetooth Address of your Host OS. 





>> After each shutdown of your Windows VM, change its MAC address for next time by going into Virtualbox > Select the VM > Settings > 
Network > Advanced > Refresh the MAC address. 


>> After each use of your Host OS Windows (your VM should not have Bluetooth at all), Go into the Device Manager, Select Bluetooth, 
Disable the Device and Re-Enable the device (this will force a randomization of the Bluetooth Address). 


EVENT LOGS: 


Windows Event logs will keep many various pieces of information that could contain traces of your activities such as the devices that were 


mounted (including Veracrypt NTFS volumes for Tasitclate-same your network connections, app crash information, and various errors. It is 
always best to clean those up regularly. Do not do this on the Decoy OS. 


>> Start, search for Event Viewer, and launch Event Viewer: 
>> Go into Windows logs. 
>> Select and clear all five logs using a right-click. 


VERACRYPT HISTORY: 


By default, Veracrypt saves a history of recently mounted volumes and files. You should make sure Veracrypt never saves History. Again, do 
not do this on the Decoy OS if you are using plausible deniability for the OS. We need to keep the history of mounting the decoy Volume as 
(oy=]a me) tatu o)t-1elsyle)(-melcyalr-le)| ava 


>> Launch Veracrypt 
>> Make sure the “Never saves history” checkbox is checked (this should not be checked on the Decoy OS) 


Now you should clean the history within any app that you used including Browser history, Cookies, Saved Passwords, Sessions, and Form 
History. 


BROWSER HISTORY: 
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>> Go into Settings 
>> Go into Shields 
>> Go into Clear Browsing Data 
>> Select Advanced 
>> Select “All Time” 
>> Check all the options 
>> Clear Data 

>> Tor Browser 


>> Just close the Browser and everything is cleaned 


WI-FI HISTORY: 


Now it is time to clear the history of the Wi-Fi you connect to. Unfortunately, Windows keeps storing a list of past Networks in the registry 
even if you “forgot” those in the Wi-Fi settings. As far as | know, no utilities clean those yet (BleachBit or PrivaZer for instance) so you will 
have to do it the manual way: 


>> Launch Regedit using this tutorial: https://support.microsoft.com/en-us/windows/how-to-open-registry-editor-in-windows-10-deab38e6- 
91d6-e0aa-4b7c-8878d9e07b11 [Archive.org] 


>> Within Regedit, enter this to the address bar: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\NetworkList\Profiles 


>> There you will see a bunch of folders to the right. Each of those folders is a “Key”. Each of those keys will contain information about 
your current known Wi-Fi or past networks you used. You can explore them one by one and see the description on the right side. 


>> Delete all those keys. 


SHELLBAGS: 


As explained earlier, Shellbags are basically histories of accessed volumes/files on your computer. Remember that shellbags are 


exceptionally useful sources of information for forensics°2° and V0] 0m al={=10 fm (oMe1(<y-1 ans alos-{- Mam mt) 0-1err=1| NI MMYZOLU Mm ga elelaicovomr-lahvamal(ole(>/amvze)(6|aalom 
anywhere. Again, you should not do this on the Decoy OS: 
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==> Launch it 
>> Analyze 


>> Click Clean and select: 





>> Deleted Folders 
>> Folders on Network / External devices 
>> Search Results 
>> Select advanced 
ps ©) 0-161, @r- || =),(ox-] 0) mal MN\s'[0 Mm of- (61,40) Me) 0)i(0) atm (ole male)mey-(e,c0]e)) 
>> Select SSD cleanup (if you have an SSD) 
>> Select one pass (All zero) 


>> Clean 
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After cleaning those earlier traces, you should also use third-party utilities that can be used to clean various traces. These include the traces 
of the files/folders you deleted. 


Please refer to Appendix H: Windows Cleaning Tools before continuing. 
PRIVAZER: 


Here are the steps for PrivaZer: 


>> Download and install PrivaZer from https://privazer.com/en/download.php A’chive.org] 
>> Run PrivaZer after install 
=e Blom ale) MUr\-mial-) my Z= 100 
>> Select Advanced User 
>> Select Scan in Depth and pick your Target 
>> Select Everything you want to Scan and push Scan 
>> Select What you want to be cleaned (skip the shell bag part since you used the other utility for that) 
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>> (If you did select Free Space cleaning) Select Clean Options and make sure your type of Storage is well detected (HDD vs SSD). 


>> (If you did select Free Space cleaning) Within Clean Options (Be careful with this option as it will erase all the free space on 
ital M-¥:) (-Xeq =o ok-ladid(e)amm-s-j ol-Lelt-l iN Ml mtolUm-la-MaUlalallave maat-me(-Xece)\m Oho mm Blom ale) m:)e-l-Y-M lal: Mi a-\: Mj or-ler-Me) mr: lanvadaliale M:)cx-me) am aal:) 
X-Yoreyalom oy-lathitelam-\-Mm elem al) @e(-t-1imeh late Miele mal(ele(:1mOlo)) 


>> If you have an SSD drive: 


==> Secure Overwriting Tab: | would just pick Normal Deletion + Trim (Trim itself should be enough®*°). Secure Deletion 
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with Trim 1 pass) might be redundant and overkill here if you intend to overwrite the free space anyway. 


>> Free Space Tab: Personally, and again “just to be sure”, | would select Normal Cleanup which will fill the entire free 
space with Data. | do not really trust Smart Cleanup as it does not actually fill all the free space of the SSD with Data. 
But again, this is probably not needed and overkill in most cases. 


=> If you have an HDD drive: 
>> Secure Overwriting Tab: | would just pick Secure Deletion (1 pass). 
>> Free Space: | would just pick Smart Cleanup as there is no reason to overwrite sectors without data on an HDD drive. 
==> Select Clean and Pick your flavor: 


>> Turbo Cleanup will only do normal deletion (on HDD/SSD) and will not clean free space. It is not secure on an HDD nor an 
SsD. 


>> Quick Cleanup will do secure deletion (on HDD) and normal deletion + trim (on SSD) but will not clean free space. This is 
secure enough for SSD but not for HDD. 


==> Normal Cleanup will do secure deletion (on HDD) and normal deletion + trim (on SSD) and will then clean the whole free 
space (Smart Cleanup on HDD and Full Cleanup on SSD) and should be secure. This option is the best for HDD but 
(exe) an} e)(=1K=) NR ON'A=18,41] ie) mete) DE 


=> Click Clean and wait for cleaning to finish. Could take a while and will fill your whole free space with data. 


BLEACHBIT: 


Here are the steps for BleachBit: 


>> Get and install the latest version from BleachBit here https://www.bleachbit.org/download [A'chive.org] 





Run BleachBit 
Clean at least everything within those sections: 
Deep Scan 
NW AViT ave Coy WAm BY=)(<TaTol=t 
A"AYAT aXe (o)wYcsm =p.40)(0) a=) em ClaleUle|laremeyalcyiler-\e ls) 
System 
Select any other traces you want to remove from their list 


Again, as with the earlier utility, | would not clean the free space on an SSD drive because | think the Windows native 
“optimize” utility is enough (see below) and that filling up the free space on a trim enabled SSD is just completely overkill 
FeValomUlalatqlerssst-r-1aVA 


Click Clean and wait. This will take a while and will fill your whole free space with data on both HDD and SSD drives. 


With this Native Windows 10 utility, you can just trigger a Trim on your SSD which should be more than enough to securely clean all deleted 
files that somehow would have escaped Trim when deleting them. 


Just open Windows Explorer, Right Click on your System Drive and click Properties. Select Tools. Click Optimize and then Optimize again. 
» (ol Uir-lx~mole)al-eam Mar- lm iom e)xe)ey-le)hvar-iarelele|amiamenhvae)e)ialie/an 


You can optimize your drives to help your computer run more efficiently, or analyze them to find out if they need 
to be optimized. Only drives on or connected to your computer are shown. 


Status 


Media type Last analyzed oro... Current status 


| Sm Windows (C:) Solid state drive 26/01/2021 21:02 OK (0 days since last retrim) 


Optimize 


Scheduled optimization 


On Change settings 
Drives are being analyzed on a scheduled cadence and optimized as ne... 


Frequency: Weekly 





Chances are your actions (such as posts on various platforms, your profiles) will be indexed (and cached) by many search engines. 


Contrary to widespread belief, it is possible to have some but not all this information removed by following some steps. While this might not 
remove the information on the websites themselves, it will make it harder for people to find it using search engines: 


First, you will have to delete your identities from the platform themselves if you can. Most will allow this but not all. For some, you might 
have to contact their support/moderators and for others, there will be readily available forms to do so. 





>> If they do not allow the removal/deletion of profiles, there might be a possibility for you to rename your identity. Change the username if 
Vo] Umer=]amr-lalemr=)|mr-ecere lula) mialcolanar-ie(e)amu'iiiamexeye[Ul-miaice)saar-lilela mares (eleliare mia(-M-rigarslip 


>> If allowed, you can also sometimes edit past posts to remove the information within those. 

You can check some useful information about how to and get delete various accounts on these websites: 
>> https://justdeleteme.xyz/ Archive.org] 
>> https://justgetmydata.com/ [Archive.org] 
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Go to their “Remove outdated content from Google Search” page here: https://search.google.com/search-console/remove-outdated-content 


[Archive.org] and submit a request accordingly. 

If your profile/Username was deleted/changed, they should re-index the content and update accordingly, and remove these traces. 
These requests might take several days to process. Be patient. 

Bing: 
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Go to their “Content Removal” page here: https://www.bing.com/webmasters/tools/contentremoval /A'chive.org] and submit a request 
FeTexero)ce/| are | NA 


If your profile/Uusername was deleted/changed, they should re-index the content and update accordingly, and remove these traces. 
This might take several days to process. Be patient. 


DuckDuckGo: 


DuckDuckGo does not store a cached version of pages**” and will instead forward you to a Google/Bing cached version if available. 
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in time have it removed it from DuckDuckGo too. 


we lalel=>. 
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Once have your Yandex account, head to the Yandex Webmaster tools https://webmaster.yandex.com [Archive.org] and then select Tools and 
Delete URL https://webmaster.yandex.com/tools/del-url/ Archive.org] 


There you could input the URL that does not exist anymore if you had them deleted. 


This will only work with pages that have been deleted and therefore will not work with removing the cache of existing records. For that 
unfortunately there is no tool available to force a cache update, but you can still try their feedback tool: 


Search for the page that was changed (where your profile was deleted/changed) and click the arrow next to the result. Select Complain. And 
10] 0) aa liars exe) aa) e)f=!/alm@-lelollimsal-m ey-lel>m alo) mant-l(eial|alemeal-Mcy-t-1 0010 x-1-16] Om (0) e110] | NAMe alm (@)Kex> Wm G-lale (>> Qo c-tee-1)\] mual-W ey-(e(-m-laleMaomi/ale(>>@llm-vitcls 
some time. This could take days or weeks. 


Qwant : 


As far as | know, there is no readily available tool to force this, and you will have to wait for the results to get updated if there is any. If you 
know a way, please report this to me through the GitHub issues. 


Yahoo Search: 


Yes, Yahoo Search still exists but as per their help page https://help.yahoo.com/kb/SLN4530.html !Archive.org] there is no way to remove 
information or refresh information besides waiting. This could take 6 to 8 weeks. 


Baidu: 


As far as | know, there is no readily available tool to force this unless you control the website (and do it through their webmaster tools). 
Therefore, you will have to wait for the results to get updated if there is any. If you know a way, please report this to me through the GitHub 
issues. 





Wikipedia: 


As far as | know, there is no way to remove information from Wikipedia articles themselves but if you just want to remove traces of your 
username from it (as a user that contributed), you can do so by following these steps: 


https://en.wikipedia.org/wiki/Wikipedia:Courtesy_vanishing !kiless] [Archive.org] 
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a user. 


Archive. today: 


Some information can sometimes be removed on demand (sensitive information for example) as you can see many examples here: 
https://blog.archive.today/archive 


This is done through their “ask” page here: https://blog.archive.today/ask 


Internet Archive: 


You can remove pages from internet archives but only if you own the website in question and contact them about it. Most likely you will 
not be able to remove archives from say “Reddit posts” or anything alike. But you could still ask and see what they answer. 


As per their help page https://help.archive.org/hc/en-us/articles/360004651 732-Using- The-Wayback-Machine 
“How can | exclude or remove my site’s pages from the Wayback Machine? 
You can send an e-mail request for us to review to info@archive.org with the URL (web address) in the text of your message”. 


Others: 


Have a look at those websites: 
>> https://justdeleteme.xyz/ 


>> https://inteltechniques.com/workbook.html [Archive.org] 


Some low-tech old-school tricks: 


Hidden communications in plain sight: 


You must keep in mind that using all those security measures (encryption, plausible deniability, VPN, tor, secure operating systems ...) can 
iaat=1,¢=ma'Z0L0 JO Is) 0) (610) 0 [om [Ul] mo) VU I<) ale mm eal=)paMmOs<y[ ale Mexel0) (0M ol-meal-M-10[6]\Vc-1(=)alme)m)t-1il ale me) el-ya)h’amm Mat-\Vomcve)aq(=1eal lave mcomal(o(> Mm com-lalme)ess{-1aV(-/mayU allen 
could then motivate some adversaries to investigate/survey you further. 


So, there are other ways you could exchange or send messages online to others in case of need without disclosing your identity or 
establishing direct communication with them. These have been in use by various organizations for decades and can be of help if you do not 
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-Naexe) nave ae) al hyamelsxovo mm (=Xe1a) alo 6(-meat-lmere)eale)iarctomeal-m(e(-r- me) m- ml DY-y-\0 Drop*?" and Secure Communication Obfuscation*°4 ivalxelulela 


453 454 


S)KcYer-lalelele=leahy and has many names such as Koalang*°° or “Talking Around” or even “Social Steganography”. 


This technique is very old and still widely used nowadays by teenagers to bypass parental control. It is hiding in plain sight. 


and/or Kleptography 
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their data, get rid of their burner phones and sensitive information? 


What if you want to let someone you trust (friends, family, lawyers, journalists ...) Know that you are in trouble, and they should look out for 
you? 


All this without revealing the identity of the person you are sending the message to nor disclosing the content of that message to any third 
foy=Vanvar=larem’Uisaleleimeslis)/alemclel) o)(ei(e)atsw-laremUisalel0imel<y| ale mr-la\ me) tal-mc\-1e10]x-manl-)tareelomant-valile)al-\em-|ele\iom 


Well, you could just use any online public platform for this (Instagram, Twitter, Reddit, any forum, YouTube ...) by using in-context (of the 
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This could be a set of specific emojis or a specifically worded mundane comment. Or even just a like on a specific post from a known 
influencer you usually watch and like. While this would look completely normal to anyone, this could mean a lot to a knowledgeable reader 
VV alo mexol0](oMmsal=/amr-l,(om=] 0) 6) xe) 6)at-1c-m-\e] a =1o1e te 6] ofe)a m= (e1t(0) alse ColUmerol0](om-|t-Yom al(ol>mlal>manl=sstcr-[e(>mU Icy] ale me) (-re[-1alele/e-10) aN mols) /ale mie) mmlatsit-lalex>) 
https://stegcloak.surge.sh/. 


You do not even have to go that far. A simple “Last seen” time on a specific account could be enough to trigger a message agreed upon. If 
your interlocutor sees that this account was online. It could mean there is an issue. 


How to spot if someone has been searching your stuff: 


There are some old tricks that you can use to spot if people have been messing with your stuff while you were away. 





One trick for instance is quite simple and just requires a wire/cable. Simply lay objects on your desk/night table or in your drawers following a 
straight line. You can use a simple USB cable as a tool to align them. 


Make a line with your cable and place objects along the line. When you are back, just check those places and check if the objects are still 
placed along the line. This allows you not to remember precisely where your things were without taking pictures. 


Fortunately, modern technology has made this even simpler. If you suspect someone might be looking through your stuff while you are away, 
you can just take a picture of the area with your phone before leaving. When you are back, just compare the areas with your pictures and 
everything should be exactly where you left it. If anything moved, then someone was there. 


It will be extremely hard and time-consuming for an adversary to search through your stuff and then replace it exactly as you left it with 
(oxo) aa) e)(=1¢om ©) x10) (0) 0B 


What if it is a printed document or book and you want to know if someone read it? Even simpler. Just carefully make a note within the 
document with a pencil. And then erase it with any pencil eraser as if you wanted to correct it. The trick is to carefully leave the eraser 
traces/residues on the area you erased/pencil written areas and close the document. You could also take a picture of the residues before 
closing the document. 


Most likely if someone went through your document to read it and re-placed it carefully, this residue will fall off or be moved significantly. It is a 
simple old-school trick that could tell you someone searched a document you had. 


Some last OPSEC thoughts: 


Wait, what is OPSEC? Well, OPSEC means Operations Security*®. The basic definition is: “OPSEC is the process of protecting individual 
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passwords and passphrases). 


>> Make sure you are not keeping a copy of this guide anywhere unsafe after. The sole presence of this guide will most likely defeat all 
your plausible deniability possibilities. 


>> Consider the use of Haven https://guardianproject.github.io/haven/ !4"chive.org] on some old android phone to keep watch on your 
home/room while you are away. 


>> Doxx “yourself” and your identities from time to time by looking for them yourself online using various search engines to monitor your 
online identities. You can even automate the process somewhat using various tools such as Google Alerts 
https://www.google.com/alerts [Archive.org], 


==> Remember Appendix N: Warning about smartphones and smart devices. Do not forget your smart devices can compromise your 
anonymity. 


>> Do not ever use biometrics alone to safeguard your secrets. Biometrics can be used without your consent. 

>> Do not ever travel with those devices if you must pass strong border checks and where they could be illegal or raise suspicion. 
ms DOM ave)m 0) |Ule m= lahvar=\o10]] oanl=/almlamsat-lmt-]e)ce)M0)al(-\-\-m(0]UMg0l-)m| ME OL-\-mr- lm Ol) sm el-|t-m e)(ole!.¢-1mm (0) mevat-1ne) [elem 

>> Do check the signatures and hashes of Software you download before installing them. 

>> Remember the first rule of fight club and do not talk to anyone about your sensitive activities using your real identity. 


>> Keep a normal life and do not be weird. If you spend all your online time using Tor to access the internet and have no social network 
accounts at all ... You are already suspicious and attracting unnecessary attention. 


>> Encrypt everything but do not take it for granted. Remember the 5$ wrench. 
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>> Never ever leave your laptop unattended/on/unlocked anywhere when conducting sensitive activities. Remember the story of Ross 
Ulbricht and his arrest https://en.wikipedia.org/wiki/Ross_Ulbricht#Silk_Road, arrest_and_trial [ikiless] [Archive.org], 


>> Check for tampering regularly (not only your devices but also your home/room). 


>> If you can, do not talk to the police/authorities (at least if you are in the US) https://www.youtube.com/watch?v=d-709xYp/7eE [Invidious] 
without a lawyer. Remain silent. 


==> Know and always have at your disposal the details of a lawyer that could help you as a last resort in case things go wrong. 
>> Read those tips here https://www.whonix.org/wiki/DoNot [A’chive.org] 
>> Finally, have common sense, do not be dumb, look and learn from others’ mistakes, watch/read these: 


>> Medium.com, Darkweb Vendors and the Basic Opsec Mistakes They Keep Making https://medium.com/@c5/darkweb-vendors- 
and-the-basic-opsec-mistakes-they-keep-making-e54c285a488c [Scribe.rip] [Archive.org] 





>> 2020, Sinwindie, OSINT, and Dark Web Markets, Why OPSEC Still Matters https://www.youtube.com/watch?v=|qZZU9IFIF4 


[Invidious] 


>> 2020, RSA Conference 2020, When Cybercriminals with Good OpSec Attack https://www.youtube.com/watch?v=zXmZnU2GdVk 


[Invidious] 


=> 2015, DEFCON 22, Adrian Crenshaw- Dropping Docs on Darknets: How People Got Caught, https://www.youtube.com/watch? 
v=eQ20ZkKitRwe l!nvidious] (Slides [Archive.org]) 


>> 2017, Ochko123 - How the Feds Caught Russian Mega-Carder Roman Seleznev hittps://www.youtube.com/watch? 
v=6Chp12sEnWk invidious} 


>> 2015, DEF CON 22 - Zoz - Don’t Fuck It Up! https://www.youtube.com/watch?v=J194Ir2U8P8 lnvidious] 


>> 2020, Bad Opsec - How Tor Users Got Caught, https://www.youtube.com/watch?v=GR_U0G-QGA0 !!nvidious] 


FINAL OPSEC DISCLAIMER: KEEP YOUR ANONYMOUS IDENTITIES COMPLETELY SANDBOXED FROM YOUR NORMAL 
ENVIRONMENT AND REAL IDENTITY. DO NOT SHARE ANYTHING BETWEEN THE ANONYMOUS ENVIRONMENTS AND THE REAL 
IDENTITY ENVIRONMENT. KEEP THEM COMPLETELY COMPARTMENTALIZED ON EVERY LEVEL. MOST OPSEC FAILURES ARE 
DUE TO USERS ACCIDENTALLY LEAKING INFORMATION RATHER THAN TECHNICAL FAILURES. 


If you think you got burned: 


If you have some time: 


>> Don't Panic. 

>> Delete everything you can from the internet related to that specific identity (accounts, comments ...). 

>> Delete everything offline you have related to that identity including the backups. 

>> (If using a physical SIM) Destroy the SIM card and trash it in a random trash can somewhere. 

>> (If using a physical Burner Phone) Erase then destroy the Burner phone and trash it in a random trashcan somewhere. 

>> Securely erase the laptop hard drive and then ideally proceed to physically destroy the HDD/SSD/Laptop and trash it somewhere. 
>> Do the same with your backups. 

>> Keep the details of your lawyer nearby or if needed, call them in advance to prepare your case if needed. 


>> Return to your normal activities and hope for the best. 
If you have no time: 


>> Don't Panic. 


>> Try to shut down/hibernate the laptop as soon as possible and hope for the best. If you are fast enough, your memory should decay or 
be cleaned, and your data should be mostly safe for the time being. 
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Keep in mind that many countries have specific laws to compel you to reveal your passwords that could override your “right to remain silent”. 
See this Wikipedia article: https://en.wikipedia.org/wiki/Key_disclosure_law ikiless] [Archive.org] ang this other visual resource with law 


references https://www.gp-digital.org/world-map-of-encryption/ [Archive.org]_ 


A small final editorial note: 
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privacy and even less so anonymity. Many will often say that 1984 by George Orwell was not meant to be an instruction book. Yet today this 
guide and its many references should, | hope, reveal to you how far down we are in the rabbit hole. 
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adversary for any purpose. Even if you do manage to keep secrets from prying eyes, anyone can fabricate anything to fit their narrative: 
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leaving traces. 


>> Files and their properties can be created, altered, and timestamped by anyone using simple utilities without leaving traces. 
>> EXIF information of pictures and videos can be altered by anyone using simple utilities without leaving traces. 


>> Digital Evidence (Pictures, Videos, Voice Recordings, E-Mails, Documents...) be crafted, placed, removed, or destroyed with ease 
without leaving traces. 
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“A lie can travel halfway around the world while the truth is putting on its shoes’”“°/ 


Please keep thinking for yourself, use critical thinking, and keep an open mind. “Sapere Aude” (Dare to know!). 
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One, Chapter Seven. 


Consider helping others (see Helping others staying anonymous) 
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See: https://anonymousplanet-ng.org/donations.html 
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Helping others staying anonymous: 
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so in several ways: 


>> The Easiest: 
>> Using the Snowflake addon on your browser (https://snowflake.torproject.org/ Archive.org]) 
>> Slightly more work: 
>> Running a Tor relay node (https://community.torproject.org/relay/ [Archive.orgl) 
>> See Recommended VPS hosting providers 
>> Additional Tutorial: https://torrelay.ca/ lArchive.org] 


If you want a bit more challenge, you can also run a Tor Exit node anonymously using the recommended VPS providers above. 


For this, see https://blog.torproject.org/tips-running-exit-node [Archive.org] 
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https://metrics.torproject.org/rs.html#search/family:970814F267BF3DE9DFF2A0F8D401 9F80C68AEE26 
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Appendix A: Windows Installation 


This is the Windows 10 installation process that should be valid for any Windows 10 install within this guide. 
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Installation: 


DO NOT CONNECT WINDOWS TO ANY NETWORK DURING THE INSTALLATION PROCESS (This will allow us to create a Local Account 
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>> Click “Install Now” 
>> Select “! don’t have a product key” 
=> Select the flavor you want: 
>> Host OS: Use 
>> You intend to use Plausible Deniability: Windows Home 
==> You do not intend to use Plausible Deniability: Windows Pro 
>> VM OS: Use Windows Pro or Windows Pro N 
>> Select Custom 


>> Storage: 





>> If this is a simple OS installation (Host OS with Simple Encryption) or VM without encryption, select the whole disk and proceed 
with the installation (skip the next step). 


>> If this is part of a plausible deniability encryption set up on the Host OS: 
>> If you are installing Windows for the first time (Hidden OS): 
>> Delete the current partitions 
>> Create the First partition with at least 50GB of disk space (about a third of the total disk space). 
>> Create a second partition with the remaining two-thirds of the total disk space. 
>> If you are installing Windows for the second time (Decoy OS): 
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=> Install Windows on the first partition you created during the first install. 
>> Proceed with the install in the first partition 
>> Start the install process 
>> Select the Region “United Kingdom” 
>> Skip the additional Keyboard Layout 
>> Select “! don’t have internet” 
>> Select “Continue with limited setup” 
>> Create a username of your choice. 
>> Use a password of your choice. 
>> Select all three security questions and answer whatever you want (not real data). 
>> Do not use Online Speech Recognition 
>> Do not let the app use your location 
>> Do not enable “find my device” 
>> Only send “required diagnostic data” 
ms Blom ave)mlanle)ce)'c-mial dale m-lalemm ay eliare 
>> Do not get any improved tailored experience. 
>> Do not let apps use Advertising ID 


>> Select “Now” at the Cortana prompt 
Privacy Settings: 


=> When the install is finished, get into Settings > Privacy and do the following: 
>> General: All Off 
>> Speech: Off 
=> Inking and Typing: Off 
>> Diagnostic: Required level at off, options on OFF, Delete your data, frequency set to Never 
>> Activity History: all Off and Clear the history 
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>> Voice Activation: All Off 
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>> Calendar access: Disable it (change button) 
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>> Call History: Disable it (change button) 





>> E-mail: Disable it (change button) 
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>> Other devices: Set to Off 

Pie =~ (61 ,€0] c0]0] 010 nV 6) o}-pam BD) Ict- 10) (> mim (orat-lale(-melelice)ap) 
>> App Diagnostics: Disable it (change button) 
>> Documents: Disable it (change button) 

>> Pictures: Disable it (change button) 
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>> File system: Disable it (change button) 


>> Disable File Indexing by going into the “Indexing Options” (Go into Windows 10 Control Panel, Switch the view to “Large Icons” and 
select Indexing Options. 


>> Modify the list and remove all locations. 
>> Go into Advanced and click Rebuild. 
>> (Host OS only) Disable Bluetooth in the settings: 
>> Go into Settings 
>> Go into Devices 
>> Select Bluetooth and turn it off 
>> (Host OS Only) Tape the Webcam and Microphone anyway for extra paranoia. 


>> (Host OS Only) Go into Settings > Network & Internet > Wi-Fi and Enable Random Hardware Address. 


Appendix B: Windows Additional Privacy Settings 


As written earlier in this guide and as noted by PrivacyGuides.org*”®, A"A'ATateCo)WYAsum LOM towr- Wy o)ahvc-lenvamal(elaligar-la>mmavaremel(cr-16)[alem\-lavanaliare meLOlalale) 
and after the installation using the settings available to you is not enough. The amount of telemetry data collected by Microsoft is staggering 
and could defeat your attempts at keeping secrets. You will need to download and use a couple of utilities to (hopefully) force Windows 10 
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Here are the steps in detail: 
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Do these steps from a different computer to not connect Windows 10 to the internet before those settings are applied. You can 
download and copy those to the USB key (for transfer onto a Windows 10 fresh installation) or if it is a VM, you can transfer 
them to the VM within Virtualbox (VM Settings > General > Advanced > Drag n Drop > Enable Host to Guest). 


>> Download and install W10Privacy from https://www.w10privacy.de/english-home/ lArchive.org] 
>> Open the app as Administrator (right-click > more > run as administrator) 
>> Check all the recommended (Green) settings and save. 
>> Optional but recommended (but could break things, use at your own risk), also check the orange/red settings, and save. 
=> Reboot 
>> Download and run WindowsSpyBlocker from https://crazymax.dev/WindowsSpyBlocker/download/ Archive.org] 
>> Type 1 and go into Telemetry 
>> Type 1 and go into Firewall 
>> Type 2 and add Spy Rules 
==> Reboot 
>> Also, consider using ShutUp10 from https://www.oo-software.com/en/shutup10 [A’chive.org] 
>> Enable at least all the recommended settings 


>> Go back one last time Settings > Privacy > Diagnostic and Delete all Data. 
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silently re-enable telemetry using those updates. 
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https://github.com/beerisgood/windows10_hardening [A'C"'ve-org] (This is a security guide, not a privacy guide. If you use this guide, do 
not enable Hyper-V as it does not play well with Virtualbox, and do not enable features that were specifically disabled for privacy reasons 
earlier. Such as SmartScreen, cloud protection...) 


Appendix C: Windows Installation Media Creation 


These are the steps to create a Windows 10 (21H1) Installation Media using this tool and instructions: 


https://www.microsoft.com/en-us/software-download/windows10 [Archive.org] 
>> Download the tool and execute it from your Download folder. 
>> Agree to the terms 
>> Select the process to Create an installation Media. 
>> Select Windows 10 64 Bits edition with the language of your choice. 
==> Pick which process you want: 
>> If installing on a physical computer: Select USB Flash Drive 
>> If installing on a Virtual Machine: Select ISO file and save it. 


>> Proceed 


Appendix D: Using System Rescue to securely wipe an SSD 
drive. 


These instructions are valid for all Operating Systems: 
>> System Rescue: 


>> Create a System Rescue USB disk following these instructions https:/www.system-rescue.org/Installing-SystemRescue-on-a- 
USB-memory-stick/ !4’ch've.org] (download the ISO and write to a USB stick with Rufus). 


>> Disable Secure Boot in your BIOS/UEFI settings and change the boot order to the USB disk (System Rescue bootloader is not 
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>> Follow the instructions to change the keyboard layout by typing “stkmap’”. 
>> (optional) Run startx afterward to start a graphical environment. 
>> SATA SSD: 
>> (If you ran startx) Open a terminal 
>> ATA Secure Erase: 
>> Follow one of these tutorials 
>> https://wiki.archlinux.org/index.php/Solid_state_drive/Memory_cell_clearing A'cnive.org] 
>> https://ata.wiki.kernel.org/index.php/ATA_Secure_Erase [Archive.org] 
>> https://tinyapps.org/docs/wipe_drives_hdparm.html Archive.org] 
>> ATA Sanitize: 
>> Follow this tutorial https://tinyapps.org/docs/ata_sanitize_hdparm.html [Archive.org] 
>> NVMe SSD: 
=> (If you ran startx) Open a terminal 
>> Follow one of these tutorials: 
>> https://wiki.archlinux.org/index.php/Solid_state_drive/Memory_cell_clearing A'cnive.org] 
>> https://tinyapps.org/docs/nvme-secure-erase.html [Archive.org] 


>> https://tinyapps.org/docs/nvme-sanitize.html Archive.org] 





Appendix E: Clonezilla 
>> Get Clonezilla by just following these instructions: https://clonezilla.org/liveusb.php !4'Ch've-org] (| recommend the Alternative version 
AMD64 that should work with most recent laptops) 
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>> Follow these steps to make a backup: https://clonezilla.org/show-live-doc-content.php?topic=clonezilla-live/doc/01_Save_disk_image 
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backup). 
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>> You are done, if you need to restore, follow these instructions: https://clonezilla.org/show-live-doc-content.php?topic=clonezilla- 
live/doc/02_Restore_disk_image A’chive.org] 


Each backup could take a while depending on the speed of your laptop and the speed of your external drive. In my experience, expect about 
1 hour per backup depending on the drive size and the write speed of your backup media (my tests were done backing up 256GB SSDs ona 
UNS) Sem Om /40)0) 90) 00 |B) BDF 


Appendix F: Diskpart 
Diskpart is a Windows utility that can be used to perform various operations on your hard drive. In this case, we will use Diskpart to show the 


Disk ID but also change it if necessary. 


This could be needed if you restore a backup on a new HDD/SSD that has an ID that differs from the one backed up and Windows could 
refuse to boot. 


Diskpart can be run from any Windows environment using a command prompt. This includes recovery disks created by utilities such as 
Macrium Reflect, any Windows Installation media, EaseUS Todo Free rescue disks. 


>> Displaying the disk ID 
>> Run Diskpart to enter the Diskpart utility 
=> Issue the list disk command to list the disks 
>> Issue the sel disk x (replace x with your system disk) to select your system disk 
>> Issue the detail disk to show the details of this disk 
>> Take note of the disk ID (this should be done BEFORE backing up your disks). 
mmm Ovsy-laleliale Mant: Mell). a2) 
>> This step should only be done if, after restoring a full disk backup to a new hard drive, Windows refuses to boot 
>> Issue the same commands as above on the target new disk 


>> Issue, in addition, the command uniqueid disk id=02345678 (where you replace the id by the one you noted before) 


Appendix G: Safe Browser on the Host OS 


If you can use Tor: 


This guide will [only recommend]{.underline} using Tor Browser within the host OS because it has the best protection by default. The only 
other acceptable option in my opinion would be to use Brave Browser with a Tor tab but keep in mind that Brave themselves recommend 
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This Browser on the host OS will only be used to download various utilities and will never be used for actual sensitive activities. 
Refer to Appendix Y: Installing and using desktop Tor Browser. 


If you are experiencing issues connecting to Tor due to Censorship or Blocking, you might consider using Tor bridges as explained here: 
https://bridges.torproject.org/ [Archive.org] 


Use this browser for all the next steps within the host OS unless instructed otherwise. 


If you cannot use Tor: 





Because it is too dangerous/risky/suspicious. | would recommend as a last resort using Firefox, or Brave only using Private Windows for now. 
See Appendix P: Accessing the internet as safely as possible when Tor and VPNs are not an option before continuing. 


Only do this from a different safe public Wi-Fi every time (See Find some safe places with decent public Wi-Fi) and using a long-range 
connection (See Appendix Q: Using long-range Antenna to connect to Public Wi-Fis from a safe distance:). 


Clean all the data from the browser after each use. 


Use this method for all the next steps within the host OS unless instructed otherwise. 


Appendix H: Windows Cleaning Tools 
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>> Native Tools: 


>> Windows 10 Disk Cleanup Utility: https://support.microsoft.com/en-us/windows/disk-cleanup-in-windows-10-8a96ff42-5751-39ad- 
23d6-434b4d5b9a68 [Archive.org] 
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clean more stuff. PrivaZer for instance will use the disk cleanup utility directly itself and BleachBit will use its own mechanisms. 


>> Windows 10 Optimize Utility (Defrag on HDD Drives): https://support.microsoft.com/en-us/windows/defragment-your-windows-10-pc- 
048aefac-7f1f-4632-d48a-9700c4ec702a HArchive.org] 


For security, this tool is particularly useful on SSD drives at this “Optimize” function will in fact force a Disk wide Trim operation to 
occur. This will most likely be more than enough to make sure any deleted data that was not trimmed before for any reason will 
be this time. Deleted data with Trim is very unlikely to be recovered as explained before in this guide. 


>> Third-Party Tools: 
>> The open-source utility BleachBit https:/www.bleachbit.org/ Archive.org] 


>> The closed-source utility PrivaZer https://privazer.com/ [A'chive.org] 


| prefer PrivaZer because it has more customization and smarter features, but | would understand if you do not trust them and prefer open- 
source software in which case | would recommend BleachBit which offers a bit less customization but similar functionalities. 


Both these tools can be used for cleaning many things such as: 


>> The Windows USN journal which stores plenty of information*©°. 


>> The Windows System Resource Usage Monitor (SRUM)*°", 
>> Various histories of various programs (such as the recent lists). 


>> Various logs 


>> The free (unallocated) space of your hard drive*©. 


>> Secure deletion of files 
>> Secure wiping of USB drives 


Both these utilities can delete files and can overwrite the free space after deletion to improve secure deletion even on SSD drives. 
Remember this can reduce the lifespan of your SSD drives a bit. 


Appendix I: Using ShredOS to securely wipe an HDD drive: 


Several utilities are recommended (like the old unmaintained DBAN*©? or System Rescue CD (https://www.system-rescue.org/ Archive.org]y) 
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Feel free to go with DBAN instead if you want (using this tutorial: https://www.lifewire.com/how-to-erase-a-hard-drive-using-dban-2619148 


[Archive.org}) the process is basically the same but will not work out of the box with UEFI laptops. 


If you want to go with System-Rescue, just head to their website and follow the instructions. 
Windows: 
>> Download ShredOS from https://github.com/PartialVolume/shredos.2020.02 [Archive.org] 


>> Unzip the ISO file 


>> Download Rufus from https://rufus.ie/ Arcnive.org] 


>> Launch Rufus 





>> Select the ShredOS IMG file 
>> Write it to a USB key 
>> When done, reboot and boot the USB key (you might have to go into your BIOS settings to change the boot order for this). 
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>> Follow instructions on https://github.com/PartialVolume/shredos.2020.02 lArchive.org] 
>> Reboot and boot the USB key 
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Appendix J: Manufacturer tools for Wiping HDD and SSD 
drives: 


Always check your laptop BIOS/UEFI for native utilities first. 
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drives (such as ATA Secure Erase or Sanitize). 
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Tools that provide a boot disk for wiping from boot: 


>> SanDisk DashBoard: https://kb.sandisk.com/app/answers/detail/a_id/15108/~/dashboard-support-information [Archive.org] 
>> Seagate SeaTools: https://www.seagate.com/support/downloads/seatools/ [A’chive.org] 
>> Samsung Magican: https://www.samsung.com/semiconductor/minisite/ssd/download/tools/ Archive.org] 
>> Kingston SSD Manager: https://www.kingston.com/unitedstates/en/support/technical/ssdmanager |Archive.org] 
>> Lenovo: 
=> Most likely native utility available within the BIOS/UEFI, please check 


>> Drive Erase Utility: https://support.lenovo.com/us/en/downloads/ds019026-thinkpad-drive-erase-utility-for-resetting-the- 
cryptographic-key-and-erasing-the-solid-state-drive-thinkpad [Archive.org] 


>> Crucial Storage Executive: https://www.crucial.com/support/storage-executive Archive.org] 
>> Western Digital Dashboard: https://support.wdc.com/downloads.aspx?p=279 [Archive.org] 
>> HP: Follow instructions on https://store.hp.com/us/en/tech-takes/how-to-secure-erase-ssd [A'chive.org] 


>> Transcend SSD Scope: https://www.transcend-info.com/Support/Software-10/ Archive.org] 
>> Dell: 


>> Most likely native utility available within the BIOS/UEFI, please check https://www.dell.com/support/kbdoc/en- 
us/000134997/using-the-dell-bios-data-wipe-function-for-optiplex-precision-and-latitude-systems-built-after-november-2015? 
lwp=rt [Archive.org] 


Tools that provide only support from running OS (Cfor external drives). 


>> Toshiba Storage Tools: https://www.toshiba-storage.com/downloads/ !A’chive.org] 
Appendix K: Considerations for using external SSD drives 
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Please do not buy or use gimmicky self-encrypting devices such as these: https://syscall.eu/blog/2018/03/12/aigo_part1/ [Archive.org] 
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If you want to use an external SSD drive for sensitive storage: 

>> Please consider the support for: 


>> Trim operations and ATA/NVMe secure erase operations from your Laptop USB controller. 





>> Trim operations and ATA/NVMe secure erase operations from your USB SSD disk itself. 
>> Always use full disk encryption on those disks 
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SSD drives). 
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So how to check if your external USB SSD supports Trim and other ATA/NVMe operations from your Host OS? 
Windows: 


Trim Support: 


It is possible Windows will detect your external SSD properly and enable Trim by default. Check if Optimize Works using the Windows Native 
disk utility as explained in the internal SSD section of Windows. 


ATA/NVMe Operations (Secure Erase/Sanitize) : 


Use the manufacturer-provided tools to check and perform these operations ... It is pretty much the only way to be sure it is not only 


supported but actually works. Some utilities can tell you whether it is supported or not like CrystalDiskInfo*©° but will not actually check if it is 
working. See Appendix J: Manufacturer tools for Wiping HDD and SSD drives. 


If it does not work. Just decrypt and re-encrypt the whole drive or fill up the free space as instructed in the guide. There is no other way 
AFAIK. Besides booting up a System Rescue Linux CD and see the next section. 


baleye 
Trim Support: 


Follow this good tutorial: https://www.glump.net/howto/desktop/enable-trim-on-an-external-ssd-on-linux [Archive.org] 
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It is not “recommended”. Please read the disclaimers here https://ata.wiki.kernel.org/index.php/ATA_Secure_Erase *'""'ve.o'g] and 


here https://wiki.archlinux.org/index.php/Solid_state_drive/Memory_cell_ clearing !A'ch've.org] 


But this seems to be based on anecdotal experiences. So, if you are sure your external SSD supports Trim (See vendor documentation). You 
could just try at your own risk to use nvme-cli or hdparm to issue secure erases. 


See also this tutorial https://code.mendhak.com/securely-wipe-ssd/ [Archive.org] 


Your mileage may vary. Use at your own risk. 
macOS: 
Trim Support: 


yNexexe) xe | ale com ave) e) (=) Documentation*®°, Trim is supported on APFS (asynchronously) and HFS+ (through period trim or first-aid). 


So, if it is supported (and enabled on your external SSD), you should be able to issue a Trim on a non-APFS drive using Disk Utility and First 
Aid which should issue a Trim. 


If your disk supports it but it is not enabled in macOS. You could try issuing a “sudo trimforce enable” command from the Terminal and see if it 
enables Trim on your external SSD. And then again check the first aid command if it is not APFS (see this Tutorial for info 


https://www.lifewire.com/enable-trim-for-ssd-in-os-x-yosemite-2260789 [Archive.org}) 


If it does not work, | am not aware of any reliable method to enable TRIM besides the commercial utility Trim Enabler here 


https://cindori.org/trimenabler/ A'chive.org] which claims support for external drives. 
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>> Use a bootable System Rescue USB Linux to do it 
>> Just decrypt and re-encrypt the drive using Disk Utility or Veracrypt 


>> Fill up the free space of the disk using the Linux method (dd) 


Appendix L: Creating a mat2-web guest VM for removing 
metadata from files 





Download the latest Debian testing amd64 netinst ISO from https://www.debian.org/CD/netinst/ Archive.org] 
(Get testing to get the latest mat2 release, stable is a few versions back) 


This is very lightweight, and | recommend you do it from a VM (VM inside a VM) to benefit from Whonix Tor Gateway. While it is possible to 
put this VM directly behind a Whonix Gateway. Whonix will not easily (AFAIK) allow communications between VMs on its network by default. 


You could also just leave it on Clearnet during the install process and then leave it on the Host-Only network later. 
Or install it from a VM within a VM then move it to host OS for Host-Only usage: 

>> Create a new machine with any name like mat2 

>> Select Linux as Type 

>> Select Debian (64-bit) as Version 

>> Leave the default options and click create 

>> Select the VM and click Settings 

>> Select System and disable the Floppy disk on the Motherboard tab 

>> Select the Processor tab and enable PAE/NX 

=> Select Audio and disable Audio 

>> Select USB and disable the USB controller 

>> Select Storage and select the CD drive to mount the Debian Netinst ISO 

>> Select Network and Attach to NAT 

>> Launch the VM 

>> Select Install (not Graphical install) 

>> Select Language, Location, and Keyboard layout as you wish 

>> Wait for the network to configure (automatic DHCP) 

=> Pick a name like “Mat2” 

>> Leave the domain empty 

>> Set a Root password as you wish (preferably a good one still) 

>> Create a new user and password as you wish (preferably a good one still) 

>> Select the Time Zone of your choice 

>> Select Guided - Use the entire disk 

>> Select the only ask available 

>> Select All files in one partition 

>> Confirm and write changes to the disk 

>> Select NO to scan any other CD or DVD 

>> Select any region and any mirror of your choice and leave proxy blank 

>> Select no to take part in any survey 

=> Select only System Standard Utilities (uncheck everything else) 

>> Select Yes to install GRUB bootloader 
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==> Complete the install and reboot 

>> Log in with your user or root (you should never use root directly as a best security practice but in this case, it is “okay”) 

>> Update your install by running su apt upgrade (but it should be upgraded since it is a net install) 


>> Install the necessary packages for mat2 by running su apt install ffmpeg uwsgi python3-pip uwsgi-plugin-python3 
librsvg2-dev git mat2 apache2 libapache2-mod-proxy-uwsgi 


==> Go to the /var/www directory by running cd /var/www/ 
>> Clone mat2-web from the mat2-web repository by issuing git clone https://@xacab.org/jvoisin/mat2-web. git 


>> Create a directory for uploads by running mkdir ./mat2-web/uploads/ 





=> Give permissions to Apache2 to read the files by running chown -R www-data:www-data ./mat2-web 
>> Enable apache2 uwsgi proxy by running /usr/sbin/a2enmod proxy_uwsgi 
>> Upgrade pip by running python3 -m pip install pip --upgrade 


=> Install some python modules by running python3 -m pip install flasgger pyyaml flask-restful flask cerberus flask- 
cors jinja2 


>> Move to the config directory of mat2 by running cd /var/www/mat2-web/config/ 

>> Copy the apache2 config file to etc by running cp apache2.config /etc/apache2/sites-enabled/apache2. conf 
>> Remove the default config file by running rm /etc/apache2/sites-enabled/eee-default. conf 

=> Edit the apache2 config file provided by mat2-web by running nano /etc/apache2/sites-enabled/apache2. conf 
=> Remove the first line Listen 80 

>> Change the uwsgi path from /var/www/mat2-web/mat2-web.sock to /run/uwsgi/uwsgi.sock and save/exit 

>> Copy the uwsgi config file to etc by running cp uwsgi.config /etc/uwsgi/apps-enabled/uwsgi. ini 
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>> Run chown -R 777 /var/www/mat2-web 

>> Restart uwsgi by running systemctl restart uwsgi (there should be no errors) 

>> Restart apache2 by running systemctl restart apache2 (there should be no errors) 

>> Now change the network settings of the VM to “Host Only Network’ 

=> Reboot the VM 

==> Log into the VM and type ip a to note the IP address it was assigned. 

>> From the VM Host OS open a Browser and go to the IP of your Debian VM (for example http://192.168.1.55) 

>> You should now see a Mat2-Web website running smoothly 

=> Shutdown the Mat2 VM by running shutdown -h now 

>> Take a snapshot of the VM within Virtualbox 

>> Restart the Mat2 VM and you are ready to use Mat2-web to remove metadata from most files 

>> After use, shut down the VM and revert to the snapshot to remove traces of the uploaded files 


>> This VM does not require any internet access unless you want to update it in which case you need to place it back on the NAT network 
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==> For updates of Debian, start the VM and run apt update followed by apt upgrade 

>> For updates of mat2-web, go to /var/www/mat2-web and run git pull 

>> After updates, shutdown, place it back on the Host Network, take a new snapshot, remove the earlier one. 
You are done. 


Now you can just start this small mat2 VM when needed, browse to it from your Guest VM and use the interface to remove any metadata 
from most files. 


After each use of this VM, you should revert to the Snapshot to erase all traces. 


Do not ever expose this VM to any network unless temporarily for updates. This web interface is not suitable for any direct external 
access. 


Appendix M: BIOS/UEFI options to wipe disks in various 
syarslaleks 


Here are some links on how to securely wipe your drive (HDD/SSD) from the BIOS for various brands: 
>> Lenovo ThinkPads: https://support.lenovo.com/be/en/solutions/migr-68369 !A’chive.org] 
>> HP (all): https://support.hp.com/gb-en/document/c06204100 [Archive.org] 


>> Dell (all): https://www.dell.com/support/kbdoc/en-us/000146892/dell-data-wipe [A’chive.org] 


>> Acer (Travelmate only): https://us.answers.acer.com/app/answers/detail/a_id/41567/~/how-to-use-disk-sanitizer-on-acer-travelmate- 
rafoyial efoto) <a [Archive.org] 





>> Asus: no option AFAIK except maybe for some ROG models. 
>> Gigabyte: no option AFAIK 
>> Honor: no option AFAIK 


>> Huawei: no option AFAIK 


Appendix N: Warning about smartphones and smart devices 


When conducting sensitive activities, remember that: 
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Cell Networks to find which phone “turned off” before your burner phone “turned on”. While this might not work the first time, after a few 
times, the net will tighten, and you will get compromised. It is better to leave your main smartphone at home online (see this article 


(Russian, use Google Translate link): https://biboroda.livejournal.com/4894724.html [Google Translate] [Archive.org]) 
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removing the battery or, if not possible, the use of a faraday cage*©® bag to store your devices. There are many such faraday “signal 


blocking” bags available for sale and some of these have been studied*°” for their effectiveness. If you cannot afford such bags, you 
can probably achieve a “decent result” with one or several sheets of aluminum foil (as shown in the previously linked study). 


>> Warning: consider that sensor data itself can also be reliably used to track yous68-469 


ome Oxo) at-JLe(-Vaml:r-Malare mole m-Jiat-lame(-\(er-t-M- Lm alelan-Melaliiacm-laremeloliaremxeyant-idaliacem(ucclcctaliace Mm CoLOMMUlol-Ya) (-14i 0p @olm-Lelial:laalialem-ditali tele) 
Tak-j<ct-\oMeoymr- are mtal-leamiditam'celem ore) (-le:oMels mm Malm II Mailiiter-1c-mae-Ceq.dlale M-Jace)acmelUim-l(-Yomega-t-ic-Mel(elir-|mar-(ex-t-mlat-lmexelel (emi alel(er- 1a: 
you were at home. 


Addititionally, if using a smartphone as a burner, know that they send a lot of diagnostics by default. Enough to potentially identify you based 
on your device usage patterns (a technique known as biometric profiling). You should avoid using your burner unless absolutely necessary, to 
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>> Encrochat: https://en.wikipedia.org/wiki/EncroChat !Wikiless] [Archive.org] 
>> Sky ECC: https://en.wikipedia.org/wiki/Sky_ECC [ikiless] [Archive.org] 


You should never rely on some external commercial service to protect your anonymity. 


Appendix O: Getting an anonymous VPN/Proxy 


If you follow my advice, you will also need a VPN subscription but this time you will need an anonymous one that cannot be tied to you by the 
financial system. Meaning you will need to buy a VPN subscription with cash or a reasonably private cryptocurrency (Monero). You will later 
use this VPN to connect to the various services anonymously but never directly from your IP. 


There are, IMHO, two viable options: 


Cash/Monero-Paid VPN: 


There are three VPN companies recommended by PrivacyGuides.org (https://privacyguides.org/providers/vpn/ [Archive.org]) that accept cash 
payments: Mullvad, iVPN, and ProtonVPN. 


In addition, | will also mention a newcomer to watch: Safing SPN https://safing.io/ !A"h've-orgl) which (while still in the alpha stage at the time 
of this writing) which also accepts cash and has a very distinct new concept for a VPN which provides benefits similar to Tor Stream isolation 
with their “SPN”). Note that Safing SPN is not available on macOS at the moment. This possibility is “provisional” and at your own risk, but | 
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Personally, for now, | would recommend Mullvad due to personal experience. 
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How does this work? 
>> Access the VPN website with a Safe Browser (see Appendix G: Safe Browser) 


>> Go to iVPN, Mullvad, or Safing website and create a new Account ID (on the login page). 





>> This page will give you an account ID, a token ID (for payment reference), and the details of where to send the money by post. 


>> Send the required cash amount for the subscription you want in a sealed postal envelope to their offices, including a paper with the 
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Z: Paying anonymously online with BTC 


>> Wait for them to receive the payment and enable your account (this can take a while). 
>> Open Tor Browser. 
>> Check your account status and proceed when your account is active. 


For extra-security consider: 


= Pomel A'(-r- lalate me|(e\csomu call (-maarelalleleicclivarem-lahvacaliare Mm (em-\e)(om(-r-Nalale) fingerprints*/° and touch DNA*"". 


>> A less-obvious alternative could be to put super glue on your fingertips, to avoid making it obvious you're wearing gloves. However, this 
can prevent effective use of touchscreens, as well as failing to as effectively prevent you from touch DNA. Also, if spotted, it can be 
quite suspicious to be caught with super glue on your fingers. 


>> Do not use any material/currency that was manipulated by someone that can be related to you in any way. 
>> Do not use the currency you just got from an ATM that could record dispensed bills serial numbers. 
>> Be careful if you print anything that it is not watermarked by your printer (See Printing Watermarking). 
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if you use them to avoid leaving DNA traces. 
>> Make sure there are no obvious DNA traces in or on the materials (like hairs). 
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materials. 


>> The more people frequent a space, the lower the risk, as your DNA will be obscured by the DNA of other people as they pass through 


>> Security cameras can be a risk. Try to cover your face. Also, gait recognition may be a concern. See [Gait Recognition and Other Long- 
Range Biometrics] 
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connections. This VPN will only be used later in a secure way as we do not trust VPN providers’ “no-logging policies”. This VPN 
rol coNVA(ol=1 med arolel(om(el:r-liINmar-nd-] mm Caronwmyolelma-y-lme)alellamlam colelmacelant:vancels @elal-Mcolm lal-ir-laler:) B 


Self-hosted VPN/Proxy on a Monero/Cash-paid VPS (for users more familiar 
with Linux): 


The other alternative is setting up your own VPN/Proxy using a VPS (Virtual Private Server) on a hosting platform that accepts Monero 
((x=tero) galaat=larel=te) B 


This will offer some advantages as the chances of your IP being block-listed somewhere are lower than known VPN providers. 


This does also offer some disadvantages as Monero is not perfect as explained earlier in this guide and some global adversaries could 
nate \V,eX= moj] |Mue= lel, @nrZele mm COLUM /|/Mal=t>1em Comel-1m\V(0)ai-)xe Mm ine)anmr=|al => colat-lare[-Meliaremial-Mace)anar=lmilatslalel=lm\s-1(>)p0m-lalemial= yam o)(e1,@r-malessiilaem@icimariis 


https://www.getmonero.org/community/merchants/#exchanges !A'chive.orgl) or from a local reseller using cash from https://localmonero.co. 
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Workstation for instance (this is explained later). This VPN will only be used later within a Virtual Machin over the Tor Network in a 
secure way as we do not trust VPN providers’ “no-logging policies”. This VPN provider should never know your real origin IP. 


Please see Appendix A1: Recommended VPS hosting providers 


VPN VPS: 


There are plenty of tutorials on how to do this like this one https://proprivacy.com/vpn/guides/create-your-own-vpn-server [Archive.org] 


Socks Proxy VPS: 


This is also an option obviously if you prefer to skip the VPN part. 


It is probably the easiest thing to set up since you will just use the SSH connection you have to your VPS and no further configuration should 
be required besides setting the browser of your guest VM to use the proxy in question. 


Here are a few tutorials on how to do this very quickly: 
>> (Windows/Linux/macOS) https://linuxize.com/post/how-to-setup-ssh-socks-tunnel-for-private-browsing/ [Archive.org] 


>> (Windows/Linux/macOS) https://www.digitalocean.com/community/tutorials/now-to-route-web-traffic-securely-without-a-vpn-using-a- 
socks-tunnel [Archive.org] 


>> (Windows) https://www.forwardproxy.com/2018/12/using-putty-to-setup-a-quick-socks-proxy/ [Archive.org] 





>> (Linux/macOS) https://ma.ttias.be/socks-proxy-linux-ssh-bypass-content-filters/ Archive.org] 
Here is my basic tutorial: 


bale) eAiekeese 


Here are the steps: 
>> Get your anonymous VPS set-up 
>> From a terminal, SSH to your server by running: ssh -i ~/.ssh/id_rsa -D 8080 -f -C -q -N username@ip_of_your_server 
>> Configure your browser to use localhost:8080 as a Socks Proxy for Browsing 
>> Done! 
=> 40) F-lar-\e(e)ame)mr-1ce10/an(-)a 10s 
>> -i: The path to the SSH key to be used to connect to the host 
>> -D: Tells SSH that we want a SOCKS tunnel on the specified port number (you can choose a number between 1025 and 65536) 
>> -f: Forks the process to the background 
>> -C: Compresses the data before sending it 
==> -q: Uses quiet mode 
med \ a =1| (Moto) mtar-| ma lomere)aglaar-lale Mii mel>mci/alme)ale-mial-mielalal=) MoM] ®) 


Wan are(e) ici 


Here are the steps: 


>> Get your anonymous VPS set-up 


>> Download and install Putty from https://www.putty.org/ Archive.org] 


>> Set the following options in Putty and connect to your server 


Lu 


& PuTTY Configuration 


Category: 


~ Keyboard | Options controlling SSH port forwarding 


Port forwarding 


| Features 
=} Window _ [| ]Local ports accept connections from other hosts 


~ Appearance | |Remote ports do the same (SSH-2 only) 
~~ Behaviour 
2 ~ Translation 
_ 4} Selection 
Colours 


= Connection 


Forwarded ports: Remove 


'D8080° 


Add new forwarded port: 


: Source port '8080 | 


~ Rlogin 

al SSH Destination 

oe Kex 
~ Host keys - ~ © 
Cipher (@) Auto (_) IPv4 (_) IPv6 
+4-Auth 


( ) Local ( ) Remote (@) Dynamic 


About : Oper Cancel 





>> Connect to your VPS using those settings 
>> Configure your Browser to use localhost:8080 as a Socks Proxy 


>> Done! 





Appendix P: Accessing the internet as safely as possible 
when Tor and VPNS are not an option 


USE EXTREME CAUTION: THIS IS HIGHLY RISKY. 


There might be worst-case situations where using Tor and VPNs are not possible due to extensive active censorship or blocking. Even when 
VEY] ato im Ko) am =Ja ce (e(-s-¥m (=1-1-W nl) 01-1810 [> eam l=) ale mm Lela o)a(elel-\-Mlalmales-iii(-M-laNaicelalanl=iplesp) 


Now, there might also be situations where simply using Tor or a VPN alone could be suspicious and could be dangerous for your safety. If 
this is the case, you could be in a very hostile environment where surveillance and control are high. 


SIU) MY{Ol0 m=) 1 | MU'c= [a] momo lomcye)aat=vialiacem=lale)anyanlelersihvaaiVia (ele) me| tye (e-y|aleri(st-lqiale m= lahvmlalielasar= lela p 


In that case, my last resort recommendation is to connect safely from a distance to a Public Wi-Fi (See Find some safe places with decent 


public Wi-Fi) using your laptop and Tails “unsafe browser”. See https://tails.boum.org/contribute/design/Unsafe_Browser/ !Archive.org], 


him Ko) aU t-y- Le [= Mr-] Col at- Mu (-m-JU LJ o) (od (eo) Ul-e) mm al) QVMmIZolUM-JalolUi (om (OM Mr-li(o)WamE-lit-Mcom iaYm-s-r-le)|(-Jallale M- Mm ke) mexe)alal-teqifolam-|m-jr- lance) ome\vmele)lale maat-) 
following: 


>> At startup open the Additional Settings. 

>> Enable Unsafe Browser. 

mm ©) at -10(6(- ma (- Mm Oxo) alar=ve1l(e)amice)a nlm B)|x-\ejm comm @xe)ayi(e]0/«>m- lu (0) ml =) u(e(e [> e) mu moler- | at te).0\Me 

>> After Start-up, Connect to a safe Network 

= Poma'A'/ ai) am ©)xe)a0)0)(=1e Mm [Ul-1are16]] mialoum (e)mm Oxo) al al-\e1le)ammAlsy4-1 xem (com ale) m-1-)r-16)I[-Jalr- mm ke) mere) alar-\ei(e)ap) 
>> Start and use the Unsafe Browser 
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Using Tails should prevent local data leaks (such as MAC addresses or telemetry) and allow you to use a Browser to get what you want 
(utilities, VPN account) before leaving that place as fast as possible. 


You could also use the other routes (Whonix and Qubes OS without using Tor/VPN) instead of Tails in such hostile environments if you want 
data persistence but this might be riskier. | would not risk it personally unless there was absolutely no other option. If you go for this option, 
you will only do sensitive activities from a reversible/disposable VM in all cases. Never from the Host OS. 


HN MYColO Mm a-\-Yo) am com aa (om o)(-¥--X-M¢-1-] OM IZolUl me) alilal-Mmilit-mr-l-w-y ale) amr: low eles-s-J] eo) (<M Caulialeic:s-w-lalemareymalelel ey m 


Be safe and extremely cautious. This is entirely at your own risk. 
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Appendix Q: Using long-range Antenna to connect to Public 
Wi-Fis from a safe distance: 


It is possible to access/connect to remote distant Public Wi-Fis from a distance using a cheap directional Antenna that looks like this: 








These antennas are widely available on various online shops for a cheap price (Amazon, AliExpress, Banggood ...). The only issue is that 
they are not discrete, and you might have to find a way to hide it (for instance in a Poster cardboard container in a Backpack). Or in a large 
enough Bag. Optionally (but riskier) you could even consider using it from your home if you have a nice Window view to various places where 
some Public Wi-Fi is available. 


Such antennas need to be combined with specific USB adapters that have an external Antenna plug and sufficiently high power to use them. 


| would recommend the AWUS036 series in the Alfa brand of adapters (see https://www.alfa.com.tw/ !"C've.orgl)_ But you could also 
go with some other brands if you want such as the TP-Link TL-WN722 (see https://www.tp-link.com/us/home-networking/usb-adapter/tl- 
Wwn722n/ [Archive.org]) 


See this post for a comparison of various adapters: https://Awww.wirelesshack.org/best-kali-linux-compatible-usb-adapter-dongles.html 


[Archive.org] (Usually those antennas are used by Penetration Testers to probe Wi-Fis from a distance and are often discussed within the 
scope of the Kali Linux distribution). 


The process is simple: 
>> Plugin and install your USB adapter on your Host OS. 
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by default in Tails). 
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=> Get to a convenient spot where you have a distant view of a place with Public Wi-Fi available (this can be a rooftop for instance), but 
{elu mere] 0](omr-|isvomlaar=le]laromalceliare mints Waval(svalar-Mmiamcxe)an(>m or- le m= lalem[Ul-) m-)]me)amr-el-laleamce)ant-\UAl-1koe 
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Blom stoi mcolnet-1miaremial-lmaal(my Uli medal hymel:)¢-\yar-Maiveldhtc-1i-Xem-(e\V,-1e-y-1avam Colelme-d(elar-|Mer-laMmel-maat-larelelt-ii-XoM=y-l-J] Va oh’ar- Mitlelehic-lecLem-eh:)e-y-l aval a 
FWnar-lax-) me) maniialelc:t-me)alex-Maal-\Vmc-y-(eqam talc ol anvs-d(or-1 Mm (oler-ldCola me) Mm aat- AU of Col U Ma c- Mere) alat-Xeas fale mom ce) ml arcir-lale:Mel-yi ale m-Mel:\ Alex: Mle leq a ir-[-) 


AirCheck https://www.youtube.com/watch?v=8FV2QZ1BPnw [Invidious] also see their other products here 
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Ideally, this should “not be an issue” since this guide provides multiple ways of hiding your origin IP using VPNs and Tor. But if you are ina 
situation where VPN and Tor are not an option, then this could be your only security. 


Appendix R: Installing a VPN on your VM or Host OS. 


Download the VPN client installer of your cash paid VPN service and install it on Host OS (Tor over VPN, VPN over Tor over VPN) or the VM 
(o) MAVZo)0 | aes ale) (e\- AVA ed \ O)V.-) nO) 


>> Whonix Tutorial (should work with any VPN provider): https:/Awww.whonix.org/wiki/Tunnels/Connecting_to_a_VPN_before_Tor 
[Archive.org] (use the Linux configurations below to get the necessary configuration files) 


=> Windows Tutorials: 
>> Mullvad: httos://mullvad.net/en/help/install-mullvad-app-windows/ [Archive.org] 


>> iVPN: https://www.ivpn.net/apps-windows [Archive.org] 





>> Safing: https://docs.safing.io/portmaster/install/windows [Archive.org] 

>> ProtonVPN: https://protonvpn.com/support/protonvpn-windows-vpn-application/ Archive.org] 
>> macOs: 

>> Mullvad: https://mullvad.net/en/help/install-and-use-mullvad-app-macos/ [A'chive.org] 

>> IVPN: https://www.ivpn.net/apps-macos/ lArchive.org] 

>> Safing: Not available on macOS 

>> ProtonVPN: https://protonvpn.com/support/protonvpn-mac-vpn-application/ !Archive.org] 
>> Linux: 

>> Mullvad: https://mullvad.net/en/help/install-mullvad-app-linux/ [Archive.org] 

>> iVPN: https://www.ivpn.net/apps-linux/ [Archive.org] 

>> Safing: https://docs.safing.io/portmaster/install/linux [Archive.org] 

>> ProtonVPN: https://protonvpn.com/support/linux-vpn-setup/ [Archive.org] 
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VMs). 


In all cases, you should set the VPN to start from boot and enable the “kill switch” if you can. This is an extra step since this guide proposes 
solutions that all fall back on the Tor network in case of VPN failure. Still recommended IMHO. 


Here are some guides provided by the recommended VPN providers in this guide: 
>> Windows: 
>> iVPN: https://www.ivpn.net/knowledgebase/general/do-you-offer-a-kill-switch-or-vpn-firewall/ [Archive.org] 
>> ProtonVPN: https://protonvpn.com/support/what-is-kill-switch/ Archive.org] 


>> Mullvad: httos://mullvad.net/en/help/using-mullvad-vpn-app/#killswitch Archive.org] 


>> Whonix Workstation: Coming Soon, it is certainly possible, but | did not find a suitable and easy tutorial yet. It is also worth 
remembering that if your VPN stops on Whonix, you will still be behind the Tor Network. 


>> macOS: 
>> Mullvad same as Windows, the option should be in the provided VPN client 
=> iVPN same as Windows, the option should be in the provided VPN client 


>> ProtonVPN same as Windows with the client, the option should be in the provided VPN client https://protonvpn.com/blog/macos- 
vpn-kill-switch/ [Archive.org] 


>> Linux: 
>> Mullvad: 
>> https://mullvad.net/en/help/wireguard-and-mullvad-vpn/ Archive.org] 
>> https://mullvad.net/en/help/linux-openvpn-installation/ [Archive.org] 
>> ProtonVPN: https://github.com/ProtonVPN/linux-cli/blob/master/USAGE.md#kill-switch [Archive.org] 
>> IVPN: 
>> https://www.ivpn.net/knowledgebasellinux/linux-wireguard-kill-switch/ [Archive.org] 


>> https://www.ivpn.net/knowledgebase/linux/linux-kill-switch-using-the-uncomplicated-firewall-ufw/ [Archive.org] 


Appendix S: Check your network for survei]lance/censorship 
using OONI 


So, what is OONI? OONI stands for Open Observatory of Network Interference and is a sub-project of the Tor Project??". 


First OONI will allow you to check online for surveillance/censorship in your country just by looking at their Explorer that features test results 
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yourself and running the tests yourself. 





The problem is that your network providers will be able to see those tests and your attempts at connecting to various services if the network 
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be risky. 
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>> Do not run the tests from your home/work network. 
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>> Only consider running these tests quickly from a Public Wi-Fi from a safe distance (see Appendix P: Accessing the internet as 
safely as possible when Tor and VPNs are not an option). 


The probe can be found here: https://ooni.org/install/ 4"°”-9'S] for various platforms (iOS, Android, Windows, macOS, and Linux). 


Appendix T: Checking files for malware 


Integrity Cif available): 


474 C475 


Usually, integrity checks*’* are done using hashes of files (usually stored within checksum files). Older files could use CR , more recently 


MD5“’© but those present several weaknesses (CRC, MD5*7") dato) @aatol Com larslanmelalacyit-le)(-mie)mmil(omlaltave) al nvacevals\e).¢om (0) (eae (@l-\-m ale] maaicy=lamtalo\\7 
are not still widely used in other contexts). 


This is because they do not prevent Collision*’® well Ya lo)0le] ale-laremexelul (om) |(e)\\"ar-lamr-(OhV{>)act=|aVan@Merksr-1t- m-mec) /anlit-Vam ele] mear-li(e(elelsmil(omiat-imyVelel(oms)ii| 
fe) geyo[U(er- Malm al-Mcy-1p0l> Ola (Ome) mm\V/| Dromar-l-yame(-s-Je)i(-mal-hulalemelliislc-lalmee)aic-lale 


For this reason, it is usually recommended to use SHA-based*’2 hashes and the most used is le) xe)ey=le) Na tats) SHA-24°° based SHA256 for 
verifying file integrity. SHA is much more resistant to collisions*®' than CRC and MD5. And collisions with SHA256 or SHA512 are rare and 
lat=] xem (omere)an]elel(-mielmr-la l= (OhV{olkst-1 V2 


If a SHA256 checksum is available from the source of the file, you should not hesitate to use it to confirm the integrity of the file. 


This checksum should itself be authenticated/trusted and should be available from an authenticated/trusted source (obviously you should not 
trust a file just because it has a checksum attached to it alone). 


In the case of this guide, the SHA256 checksums are available for each file including the PDFs but are also authenticated using a GPG 
le] akoli0lxsmrali(o)vilaleMvZelemCOMY{=)alavmsal-M-lUlial=yali(el|avare) Mm tars mejal>(e..¢-16] 00mm MalicMm 11M e)a) ale MmUlsmiom ial-mal->¢m\-(e1lle)am-lelelular-lelial-yaliceliaya 


So how to check checksums? (In this case SHA256 but you could change to SHA512 


>> Windows*®: 
mn ©) e)-1n = MOxe)anlant=1 010m aane)anley 
>> Run certutil -hashfile filename.txt sha256 (replace sha256 by sha1 or sha512 or md5) 
==> Compare your result to one from a source you trust for that file 
>> macOs*®: 
>> Open a Terminal 
=> SHA: Run shasum -a 256 /full/path/to/your/file (replace 256 by 512 or 1 for SHA-1) 
>> MD5: Run md5 /full/path/to/your/file 
>> Compare your result to one from a source you trust for that file 
>> Linux: 
>> Open a Terminal 
>> Run shasum /full/path/to/your/file (replace shasum by sha256sum, sha512sum or md5sum) 
>> Compare your result to one from a source you trust for that file 


Remember that checksums are just checksums. Having a matching checksum does not mean the file is safe. 


Authenticity Cif available): 





Integrity is one thing. Authenticity is another thing. This is a process where you can verify some information is authentic and from the 


r=). ol=1o](=10 (010 | cer> Mam Malt ISMUL-1Ur=1| hVare(o)al>m ohvar-)(e]aliare Mialce)maar-lice)am@elciiare) GPG*° for instance) using public-key cryptography*°*. 
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If available, you should always verify the signatures of files to confirm their authenticity. 
In essence: 
>> Install GPG for your OS: 
>> Windows: gpg4win (https://www.gpg4win.org/ Archive.org]) 
>> macOS: GPGTools (https://gpgtools.org/ Archive.org]) 
==> Linux: It should be pre-installed in most distributions 


==> Download the Signature key from a trusted source. If someone is not giving you a key directly, you should check for multiple versions 
on other websites to confirm you are using the right key (GitHub, GitLab, Twitter, Keybase, Public Keys Servers...). 


>> Import the trusted key (replace keyfile.asc by the filename of the trusted key): 
=> Windows: 
>> From a Command Prompt, Run gpg --import keyfile.asc 
>> macOS: 
>> Froma Terminal, Run gpg --import keyfile.asc 
>> Linux: 
>> Froma Terminal, Run gpg --import keyfile.asc 


>> Verify the file signature against the imported (trusted) signature (replace filetoverify.asc by the signature file that was associated with 
the file, replace filetoverify.txt by the actual file to verify): 


>> Windows: 
>> Run gpg --verify-options show-notations --verify filetoverify.asc filetoverify.txt 
==> The result should show the signature is good and match the trusted signature you imported earlier. 
>> macOSs: 
>> Run gpg --verify-options show-notations --verify filetoverify.asc filetoverify.txt 
>> The result should show the signature is good and match the trusted signature you imported earlier. 
>> Linux: 
==> Run gpg --verify-options show-notations --verify filetoverify.asc filetoverify.txt 
=> The result should show the signature is good and match the trusted signature you imported earlier. 
For some other tutorials, please see: 
>> https://support.torproject.org/tbb/how-to-verify-signature/ [Archive.org] 
>> https://tails.boum.org/install/vm-download/index.en.html !A’chive.org] (See Basic OpenPGP verification). 
>> https://www.whonix.org/wiki/Verify_the_Whonix_images [Archive.org] 


All these guides should also apply to any other file with any other key. 
Security Cchecking for actual malware): 
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Anti-Virus Software: 


You might be asking yourself, what about Anti-Virus solutions? Well, no ... these are not perfect solutions against many modern malware and 


viruses using polymorphic code*®®, But it does not mean they cannot help against less sophisticated and known attacks. It depends on how 
to use them as AV software can become an attack vector in itself. 


Again, this is all a matter of threat modeling. Can AV software help you against the NSA? Probably not. Can it help you against less 
resourceful adversaries using known malware? Probably. 


SYo)ant=m'/1|m[ebsimr=]nele(omeler-llatsimeal=)eame)gey-lel Vall <>) Whonix‘*®? but this topic is being discussed and disputed even at Vateraih iene oVmeliat=1s 
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Contrary to popular myths perpetuating the idea that only Windows is subject to malware and that detection tools are useless on Linux and 
macOS: 


>> Yes, there are viruses and malware for Linux489'490:491:492,493 


>> Yes, there are viruses and malware for macOS494’499496:49 7498 


My take on the matter is on the pragmatic side. There is still room for some AV software for some selective and limited use. But it depends on 
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>> Do not use AV software with real-time protection as they often run with administrator privileges and can become an attack vector. 
>> Do not use Commercial AV software that uses any “cloud protection” or sends extensive telemetry and samples to their company. 
==> Do use Open-Source non-real-time offline Anti-Virus/Anti-Malware tools as an added measure to scan some files such as: 

>> Windows/Linux/macOS/Qubes OS: ClamAV (https://www.clamav.net/ [Archive.org]) 

>> Linux/Qubes OS: RFXN Linux Malware Detect (https://github.com/rfxn/linux-malware-detect [A’chive.org]) 

>> Linux/Qubes OS: Chkrootkit (http://www.chkrootkit.org/ Archive.org}) 


>> You could also use online services for non-sensitive files* such as Virus Total (https://www.virustotal.com/gui/) or Hybrid-analysis 
((alitexsw/aahve)aletrelarslNAciismee) ana s 


>> You could also just check the Virus Total database for the hash of your file if you don’t want to send it over (see 
https://developers.virustotal.com/v3.0/docs/search-by-hash A'chive.org] (See the Integrity (if available): section again for guidance 
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>> Other tools are also available for non-sensitive files and a convenient list is right here: https://github.com/rshipp/awesome- 
Marl elictrclarelNsiistzzelalllatcmster-lalateleser-lare msv-lave ole) (tm Macnee) 


>> Please be aware that while VirusTotal might seem very practical for scanning various files, their “privacy policy” is 
problematic (see https://support.virustotal.com/hc/en-us/articles/115002168385-Privacy-Policy A°°"'ve.o'g]) and states: 


“When you submit Samples to the Services, if you submit Samples to the Services, we will collect all of the information in the Sample itself 
reVaroMiavce)aaarelile/am-|elel0 im ial-m- (ei me)mcl0le)aaTiuiace mi ae 
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So, if you are in doubt: 


>> For non-sensitive files, | do encourage you to check any documents/images/videos/archives/programs you intend to open with 
Virus Total (or other similar tools) because ... Why not? (Either by uploading or checking hashes). 


>> For sensitive files, | would recommend at least an offline unprivileged ClamAV scan of the files. 


For instance, this guide’s PDF files were submitted to VirusTotal because it is meant to be public knowledge and | see no valid argument 
against it. It does not guarantee the absence of malware, but it does not hurt to add this check. 


Manual Reviews: 


You can also try to check various files for malware using various tools. This can be done as an extra measure and is especially useful with 
documents rather than apps and various executables. 


These methods require more tinkering but can be useful if you want to go the extra length. 


PDF files: 


Again, regarding the PDFs of this guide and as explained in the README of my repository, you could check for anomalies using PDFID 
which you can download at https://blog.didierstevens.com/programs/pdf-tools/ [A’chive.org]. 


>> Install Python 3 (on Windows/Linux/macOS/Qubes OS) 
= me Blo) 0) (0F=(0 Ml wa DB) at |B e- la lem =d.cl elem lals mills 


==> Run “python pdfid.py file-to-check.pdf’ and you should see these at 0 in the case of the PDF files in this repository: 


/JS @ #This indicates the presence of Javascript 

/JavaScript @ #This indicates the presence of Javascript 

/AA ® #This indicates the presence of automatic action on opening 
/OpenAction @ #This indicates the presence of automatic action on opening 


/AcroForm @ #This indicates the presence of AcroForm which could contain JavaScript 





/JBIG2Decode @ #This indicates the use of JBIG2 compression which could be used for obfuscating content 
/RichMedia © #This indicates the presence of rich media within the PDF such as Flash 

/Launch ® #This counts the launch actions 

/EmbeddedFile @ #This indicates there are embedded files within the PDF 


/XFA 0 #This indicates the presence of XML Forms within the PDF 


Now, what if you think the PDF is still suspicious? Fear not ... there are more things you can do to ensure it is not malicious: 


>> Qubes OS: Consider using https://github.com/QubesOS/qubes-app-linux-pdf-converter A’chive.org] which will convert your PDF into a 
flattened image file. This should theoretically remove any malicious code in it. Note that this will also render the PDF formatting useless 
(such as links, headings, bookmarks, and references). 
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https://github.com/firstlookmedia/pdf-redact-tools 4"Cn've-0rg] which will also turn your PDF into a flattened image file. Again, this should 
theoretically remove any malicious code in it. Again, this will also render the PDF formatting useless (such as links, headings, 
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several security issues“°”. You should not use this tool even if it is recommended in some other guides. 


>> Windows/Linux/Qubes/OS/macOS: Consider using https://github.com/firstlookmedia/dangerzone !4'Ch've-org] which was inspired by 
Qubes PDF Converted above and does the same but is well maintained and works on all OSes. This tool also works with Images, ODF 
files, and Office files (Warning: On Windows, this tool requires Docker-Desktop installed and this might (will) interfere with Virtualbox 
and other Virtualization software because it requires enabling Hyper-V. VirtualBox and Hyper-V do not play nice together??? @foyarsyel=1 
installing this within a Linux VM for convenience instead of a Windows OS). 


Other types of files: 
Here are some various resources for this purpose where you will find what tool to use for what type: 


>> For Documents/Pictures: Consider using https://github.com/firstlookmedia/dangerzone 'chve.org] which was inspired by Qubes PDF 
Converted above and does the same but is well maintained and works on all OSes. This tool also works with Images, ODF files, and 


Office files (Warning: On Windows, this tool requires Docker-Desktop installed and this might (will) interfere with Virtualbox and other 


Virtualization software because it requires enabling Hyper-V. VirtualBox and Hyper-V do not play nice together??' 


this within a Linux VM for convenience instead of a Windows OS). 
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>> For Videos: Be extremely careful, use an up-to-date player in a sandboxed environment. Remember 
Altes A NAWAUCereMevelaayic al Felat(er< Yala dere le) oli r-ler-\olele) aat-\| eX-Ve mnie) at-Yercrevall (om olt-vol-lcoles olUlsy(-veat-Uaal-lale(-7 44 mucus) 


>> This practical cheat sheet from SANS: https://digital-forensics.sans.org/media/analyzing-malicious-document-files.pdf A”chive.org] 
(warning, many of those tools might be harder to use on Windows and you might consider using them from a Linux OS such as Tails, 


Whonix Workstation, or a Linux distribution of your choice as explained later in this guide. There are also other guides out there? that 
faal(e |e) el> me) Uls\-9 F 


>> This GitHub repository with various resources on malware analysis: https://github.com/rshipp/awesome-malware-analysis [A’chive.org] 


>> This interesting PDF detailing which tool to use for which file type https://www.winitor.com/pdf/Malware-Analysis-F undamentals-Files- 
Tools. pdf [Archive.org] 
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Appendix U: How to bypass (some) local restrictions on 
Supervised computers 


There might be situations where the only device you have at your disposal is not really yours such as: 
>> Using a Work computer with restrictions in place on what you can do/run. 
>> Misuse of Parental control features to monitor your computer usage (despite you being a non-consenting Adult). 
>> Misuse of various monitoring apps to monitor your computer usage against your will. 


The situation might look desperate, but it is not necessarily the case as there are some safe ways to bypass these depending on how well 
your adversaries did their job securing your computer. 


Portable Apps: 


There are plenty of methods you could use to bypass those restrictions locally. One of them would be to use portable apps°02 


do not require installation on your system and can be run from a USB key or anywhere else. 


. Those apps 
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This is because those portable apps will not necessarily hide themselves (or be able to hide themselves) from the usage reports and forensic 
examination. This method is just too risky and will probably arise issues if noticed if you are in such a hostile environment. 


Even the most basic controls (Supervision or parental) will send out detailed app usage to your adversary. 
Bootable Live Systems: 
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It is relatively easy for your adversary to prevent this by setting up firmware BIOS/UEFI (see Bios/UEFI/Firmware Settings of your laptop) 
controls but usually most adversaries will overlook this possibility which requires more technical knowledge than just relying on Software. 


This method could even decrease suspicion and increase your plausible deniability as your adversaries think they have things under control 
and that everything appears normal in their reports. 
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Boot Security is divided into several types: 


>> Simple BIOS/UEFI password preventing the change of the boot order. This means you cannot start such a live system in place of your 
supervised OS without providing the BIOS/UEFI password. 


>> Secure Boot. This is a “standard” feature preventing you from starting unsigned systems from your computer. While this feature could 
be configured to only allow your supervised system, usually by default it will allow running an entire range of signed systems (signed by 
Microsoft or the Manufacturer for instance). 


Secure Boot is relatively easy to bypass as there are plenty of Live Systems that are now Secure Boot compliant (meaning they are signed) 
and will be allowed by your laptop. 


The BIOS/UEFI password on the other hand is much harder to bypass without risks. In that case, you are left with two options: 
>> Guess/Know the password so that you can change the boot order of your laptop without raising suspicions 


>> Reset the password using various methods to remove the password. | would not recommend doing this because if your 
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Again, this feature is usually overlooked by most unskilled/lazy adversaries and in my experience left disabled. 
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The reason is that most of the controls are within your main Operating System software and only monitor what happens within the Operating 
System. Those measures will not be able to monitor what happened at the Hardware/Firmware level before the Operating System loads. 


Precautions: 


While you might be able to bypass local restrictions easily using a Live System such as Tails, remember that your network might also be 
faate)alice)a=xemcolmme)alursier-lm-leit\Mli(otom 


Unusual network activities showing up from a computer at the same time your computer is seemingly powered off might raise suspicions. 


If you are to resort to this, you should never do so from a monitored/known network but only from a safe different network. Ideally a safe 
public wi-fi (See Find some safe places with decent public Wi-Fi). 
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Refer to the Tails route to achieve this. See The Tails route and Appendix P: Accessing the internet as safely as possible when Tor 
and VPNs are not an option sections. 


Appendix V: what browser to use in your Guest 
VM/Disposable VM 


There are IMHO 6 possibilities of browser to use on your guest/disposable VM: 
=> Brave (Chromium-based) 
>> Edge (Chromium-based, Windows Only) 
>> Firefox 
>> Safari (macOS VM only) 
>> Tor Browser 
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Disclaimer: these tests while nice are not conclusive of the real fingerprinting resistance. But they can help compare browsers 
between each other. 


>> *: macOS only. **: Windows only. 





Another useful resource to be considered for comparing browsers is: https://privacytests.org/ !Archive.org] 
Brave: 


This is my recommended/preferred choice for a Browser within your guest VMs. This is not my recommended choice for a Browser 


within your Host OS where | strictly recommend Tor Browser as they recommend it themselves”. 


Why Brave despite the controversies°°*? 


>> You will encounter fewer issues later with account creations (captchas ...). This is based on my experiences trying to create plenty of 
online identities using various browsers. You will have to trust me on that. 


>> You will enjoy native ad-blocking where none is available in others by default without adding extensions°””. 


>> Performance is arguably better than Firefox°®. 


>> Brave is arguably better at fingerprinting resistance than others°?”. 


>> Security of Chromium-based Browser is arguably better and more secure than Firefox°0®°9", Within the context of this guide, security 
should be privileged to prevent any vulnerability or exploit from gaining access to the VM. 


>> Comparison of both by Mozilla: https://www.mozilla.org/en-US/firefox/browsers/compare/brave/ [Archive.org] 


>> Comparison of both by Techlore: https://www.youtube.com/watch?v=qkJGF3syQy4 lnvidious] 


==> The whole traffic will be routed over a VPN over Tor anyway. So even if you mistakenly opt-in for some telemetry, it is not so important. 
Remember that in this anonymity threat model, we are mostly after anonymity and security. The privacy of our online identities does not 
matter that much unless the privacy issue is also a security issue that could help deanonymize you. 


>> Brave was found to be sending no identifiable telemetry compared to other browsers? !2. 
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Edge: 


This is for Windows users only. Edge is a solid choice too. 


>> You will encounter fewer issues later with account creations (captchas ...). This is based on my experiences trying to create plenty of 
online identities using various browsers. You will have to trust me on that. 





>> Better Security than Firefox as it is Chromium-based?!21, 
>> Better Performance than Firefox. 


==> The whole traffic will be router through Tor anyway. 


>> Can benefit from additional security using Microsoft Defender Application Guard (Vi [ByXe) ian Ifo) (Mitar= lm ialicmist-l(Ulc-mer-lalacelmelom=lar-le)(=10 
in a Virtualbox VM unfortunately. 


>> Native tracker blocking (Similar to Brave Shields). 
Cons: 


>> You will have to disable some telemetry within the Browser 
Safari: 


AMal-manr-(@lomel-17-lulimelce)ci-1m 
Pros: 
>> It is a Browser with decent security and sandboxing capabilities. 
Cons: 
>> It is macOS only (obviously) 
>> It requires signing-in into the App Store to install extensions (impossible within the scope of this guide since it is a VM) 
>> Even if you could, it lacks the best Extensions available for Firefox and Chrome. 


Overall, | would not recommend using Safari on a macOS VM but instead, go for another Browser such as Brave or Firefox. 
Firefox: 


And of course, lastly, you could go with Firefox, 
Pros: 
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almost entirely funded by Google?!°). 


>> An impressive amount of customization through extensions for every possible need. 
>> Firefox can be severely hardened to almost match the security of Chromium-based browsers. 
Cons: 


>> Poorer performance compared to Chromium. 


Security (especially sandboxing) of Firefox is arguably weaker than Chromium-based browsers? !®. 


==> You will experience more captchas (this is based on my tests). 


Tor Browser: 


If you are extra paranoid and want to use Tor Browser and have “Tor over VPN over Tor’, you could go with Tor Browser within the VM as 
well. This is IMHO completely pointless/useless. 


| would not recommend this option. It is just silly. 


Appendix V1: Hardening your Browsers: 


Brave: 


>> Download and install Brave browser from https://brave.com/download/ [Archive.org] 
>> Open Brave Browser 
>> Go into Settings 
>> Go to Appearances 
=> Disable Show Top Sites 
>> Disable Show Brave Suggested Sites 


>= Enable Hide Brave Rewards 





>> Enable Always show full URL 
>> Go into Shields 
>> Set Shields to Advanced 
>> Set Trackers and Ads blocking to Aggressive 
>> Set Upgrade to HTTPS to enabled 
>> Set Cookie blocking to “Only cross-site” 
>> Set Fingerprinting blocking to Standard (or Strict) 
>> Go into Social media Blocking 
>> Uncheck everything unless needed 
>> Go to Search Engine 
>> See Appendix A3: Search Engines 
>> Go into Extensions 
>> Disable everything except Private Windows with Tor and both Resolve methods set to “Ask” 
>> Go into Wallet 
>> Disable the wallet 
>> Go into Additional Settings, Privacy, and Security 
>> Leave WebRTC to Default 
>> Disable all the rest 
>> Go into Clear Browsing Data 
>> Select On Exit 
mn ©) 8-161 ,@-|| me) eile) als) 
>> Open anew Tab 
==> Click Customize in the lower right corner 
>> Disable everything except maybe the clock 
>> Navigate to brave://adblock 
>> Select any additional adblocking filter you want 
>> Do not ever enable Brave Rewards (button should be hidden) 
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>> LocalCDN (https://chrome.google.com/webstore/detail/localcdn/) 
>> Alternatively, DecentralEyes (https://chrome.google.com/webstore/detail/decentraleyes/) 
>> PrivacyBadger (https://chrome.google.com/webstore/detail/privacy-badger/) 
>> NoScript (https://chrome.google.com/webstore/detail/noscript/) 
>> Alternatively, uMatrix (https://chrome.google.com/webstore/detail/umatrix/) 
>> ClearURLs (https://chrome.google.com/webstore/detail/clearurls/) 
>> Privacy Redirect (https://github.com/SimonBrazell/privacy-redirect) 


>> While the settings for Invidious and Nitter instances are random, | would recommend setting them to “nitter.net” for Nitter and 
“yewtu.be” for Invidious. 


That’s it and you should be pretty much covered. For full paranoia, you can also just “Block Scripts” to disable Javascript. Note that even 
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Edge: 





Windows only: 
>> Open Edge 
>> Go into Settings 
==> Go to Profiles and make sure everything is unchecked in every section (Personal Info, Passwords, Payment info, Profile preferences) 
>> Go to Privacy, search, and services: 
==> Go to Tracking Prevention: 
>> Set to Strict or at least Balanced 
>> Set to always use Strict with InPrivate Windows 
>> Go to Privacy: 
>> Enable send Do Not Track 
==> Disable the options for the website to check your payment methods 
am © 00 @)0)i(0)ar- 1m B)I-(e|ales=) (em Dy =i k= b 
>> Disable it 
>> Go to Personalize your Web Experience: 
>> Disable it 
>> Go to Security 
==> Disable everything 
>> Go to Services 
>> Disable everything 
>> In Address Bar and Search: 
>> Disable everything and change the search engine (see Appendix A3: Search Engines) 
>> Go to Cookies and Sites Permissions: 
>> Within All Permissions: 
==> Within Cookies, make sure “Block Third-Party Cookies” is checked 
==> Block everything except: 
>> Javascript 
>> Images 
Enable Application Guard for Edge (only on Host OS, not possible within a VirtualBox VM): 
Skip if this is a VM 
>> Open Control Panel. 
=> Click on Programs 
mn ©) |(6), 0) aM RO lHaMV AMI aLe Le) A-Mict-1l0ln=s- me) ame) me)imlial.e 
>> Check the Windows Defender Application Guard option 
>> Click OK. 
>> Click Restart. 
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That's about it for Edge but you are also free to add extensions from the Chrome Store such as: 
>> uBlock Origin (https://chrome.google.com/webstore/detail/ublock-origin/) 
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>> Alternatively, DecentralEyes (https://chrome.google.com/webstore/detail/decentraleyes/) 
>> PrivacyBadger (https://chrome.google.com/webstore/detail/privacy-badger/) 
>> HTTPSEverywhere (https://chrome.google.com/webstore/detail/https-everywhere/) 
>> NoScript (https://chrome.google.com/webstore/detail/noscript/) 


>> Alternatively, uMatrix (https://chrome.google.com/webstore/detail/umatrix/) 





>> ClearURLs (https://chrome.google.com/webstore/detail/clearurls/) 
>> Privacy Redirect (https://chrome.google.com/webstore/detail/privacy-redirect/omcmeagblkinmogikoikkdjiligflglb) 


>> While the settings for Invidious and Nitter instances are random, | would recommend setting them to “nitter.net” for Nitter and 
“yewtu.be” for Invidious. 


Safari: 


aata(n@lom Ola] he 
>> Open Safari 
>> Click the Safari top left Menu 
>> Click Preferences 
=> On the General Tab: 
>> Change New Windows to “Empty Page” 
==> Change New Tabs to “Empty page” 
>> Change the Remove History after to “1 day” 
>> Change the Remove Download list items to “When Safari Quits” or “When Successful Download” 
=> Uncheck “Open Safe Files After Downloading” 
>> On the Security Tab: 
>> Disable “Warn when visiting a Fraudulent Website” (this sends the URLs your visit to Google for screening) 
>> On the Privacy Tab: 
>> Uncheck “Web Advertising” 
==> On the Advanced Tab: 
>> Check the “Show full website address” 
Consider Appendix A5: Additional browser precautions with JavaScript enabled 


That’s about it. Unfortunately, you will not be able to add extensions as those will require you to sign in into the App Store which you cannot 
do from a macOS VM. Again, | would not recommend sticking to Safari ina macOS VM but instead switching to Brave or Firefox. 


Firefox: 


Normal settings: 


>> Open Firefox 
>> On the Firefox Home Page: 
>> Click Personalize 
==> Uncheck/Disable Everything 
>> Open Settings: 
>> Go into Search 
>> Change the search engine (See Appendix A3: Search Engines) 
>> Go into Privacy & Security 
>> Set to Custom 
>> Cookies: Select All Third-Party Cookies 
>> Tracking Content: In all Windows 
>> Check Cryptominers 
>> Check Fingerprinters 
>> Set always send “Do Not Track” 
>> Go to Logins and Passwords 
>> Uncheck “Ask to save logins and passwords for websites” 


>> Go to Permissions 





== Location: check block new requests 
>> Camera: check block new requests 
>> Microphone: check block new requests 
>> Notifications: check block new requests 
>> Autoplay: select Disable Audio and Video 
>> Virtual Reality: check block new requests 
>> Check Block Pop-ups 
==> Check Warn when websites try to install add-ons 
>> Go to Firefox Data Collection and Use 
=> Disable everything 
>> Go to HTTPS-Only Mode 


>> Enable it on all Windows 


Advanced settings: 


Those settings are explained on the following resources in order of recommendation if you want more details about what each setting does: 
1. https://wiki.archlinux.org/title/Firefox/Privacy !4’ch've.org] (most recommended) 
2. https://proprivacy.com/privacy-service/guides/firefox-privacy-security-guide [Archive.org] 
Here are most of the steps combined from the sources above (some have been omitted due to the extensions recommended later below): 
>> Navigate to “about:config” in the URL bar 
Pn Or | [01 @aXere1=10] ial Mal), @r-1ae mm Ore)alijalels 
>> Safe Settings (should not break anything) 

=> Disable Firefox Pocket 
>> Set “extensions.pocket.enabled” to false 

>> Disable All Telemetry 
>> Set “browser.newtabpage.activity-stream.feeds.telemetry” to false 
>> Set “browser.ping-centre.telemetry” to false 
>> Set “browser.tabs.crashReporting.sendReport” to false 
>> Set “devtools.onboarding.telemetry.logged” to false 
>> Set “toolkit.telemetry.enabled” to false 
>> Search for “toolkit.telemetry.server” and clear it 
>> Set “toolkit.telemetry.unified” to false 
=> Set “beacon.enabled” to false 

==> Disable Pre-Fetching 
>> Set “network.dns.disablePrefetch” to true 
>> Set “network.dns.disablePrefetchFromHTTPS” to true 
>> Set “network.predictor.enabled” to false 
>> Set “network.predictor.enable-prefetch” to false 
>> Set “network.prefetch-next’ to false 
>> Set “browser.urlbar.speculativeConnect.enabled” to false 

==> Disable Javascript in PDFs 
>> Set “pdfjs.enableScripting” to false 

>> Disable obsolete SSL encryption 
>> Set “security.ssl3.rsa_des_ ede3_sha’ to false 


>> Set “security.ssl.require_safe_ negotiation” to true 





>> Disable Firefox Accounts 
>> Set “identity.fxaccounts.enabled” to false 
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>> Set “geo.enabled” to false 
>> Disable Web Notifications 
>> Set “dom.webnotifications.enabled” to false 
>> Disable Copy/Paste Notifications 
>> Set “dom.event.clipboardevents.enabled” to false 
>> Disable Microphone/Camera status fetching 
>> Set “media.navigator.enabled” to false 
>> Enable “Do Not Track” 
>> Set “privacy.donottrackheader.enabled” to true 
=> Disable SafeBrowsing 
>> Set “browser.safebrowsing.malware.enabled” to false 
>> Set “browser.safebrowsing.phishing.enabled” to false 
>> Set “browser.safebrowsing.downloads.remote.enabled” to false 
>> Moderate Settings (could break some websites) 
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>> Set “media.peerconnection.enabled” to false 
>> Set “media.navigator.enabled” to false 
>> Disable WebGL (this will break some media intensive websites) 
>> Set “webgl.disabled” to true 
>> Disable DRM 
>> Set “media.eme.enabled” to false 
>> Set “media.gmp-widevinecdm.enabled” to false 
>> Set Cookiies Behavior 
>> Set “network.cookie.cookieBehavior’ to 1 
=> Set “network.http.referer.XOriginPolicy” to 2 
>> Change referer policy 
>> Set “network.http.referer.XOriginTrimmingPolicy” to 2 
>> Change Session Storage behavior 
>> Set “browser.sessionstore.privacy_level” to 2 
>> Disable Connection Tests for Captive Portals 
>> Set “network.captive-portal-service.enabled” to false 
>> Disable “Trusted Recursive Resolver” 
>> Set/Create “network.trr.mode” and set it to 5 
>> Advanced (this will break some websites) 
>> Set “privacy.resistFingerprinting” to true 
>> Set “privacy.trackingprotection.fingerprinting.enabled” to true 
mel) Mam 0) ANVL- [ea ale=(e1.d[a(e) o)xe)i-xeil(e)amermyelve)aalialialem=val-16)(-\e Mm com aul 
>> Set “privacy.trackingprotection.enabled” to true 
>> Set “browser.send_pings’” to false 
>> Set “network.http.sendRefererHeader’” to 0 (this might break plenty of websites) 


>> Set “change privacy.firstparty.isolate” to true 





>> Set “change network.cookie.lifetimePolicy” to 2 (this deletes all cookies after each session) 


>> Set “network.http.referer.XOriginPolicy” to 2 (Send Referer only when the full hostnames match) 


Addons to install/consider: 
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>> Alternatively, Decentraleyes (https://addons.mozilla.org/en-US/firefox/addon/decentraleyes/) 
>> HTTPS Everywhere (https://addons.mozilla.org/en-US/firefox/addon/https-everywhere/) 
>> NoScript (https://addons.mozilla.org/en-US/firefox/addon/noscript/) 
>> Within the options, Change Default options to check everything except “Ping” and “Unrestricted CSS” 
>> Alternative to NoScript, uMatrix (https://addons.mozilla.org/en-US/firefox/addon/umatrix/) 
>> ClearURLs (https://addons.mozilla.org/en-US/firefox/addon/clearurls/) 
>> PrivacyBadger (https://addons.mozilla.org/en-US/firefox/addon/privacy-badger1 7/) 
>> Temporary Containers (https://addons.mozilla.org/en-US/firefox/addon/temporary-containers/) 
>> Privacy Settings (https://addons.mozilla.org/en-US/firefox/addon/privacy-settings/) 
>> Privacy Redirect (https://addons.mozilla.org/en-US/firefox/addon/privacy-redirect/) 


>> While the settings for Invidious and Nitter instances are random, | would recommend setting them to “nitter.net” for Nitter and 
“yewtu.be” for Invidious. 


Bonus resources: 
Here are also two recent guides to harden Firefox: 
>> https://chrisx.xyz/blog/yet-another-firefox-hardening-guide/ [Archive.org] 


>> https://ebin.city/~werwolf/posts/firefox-hardening-guide/ Archive.org] 


Appendix W: Virtualization 


So, you might ask yourself, what is Virtualization? '9? 


Basically, it is like the Inception movie with computers. You have emulated software computers called Virtual Machines running on a physical 
computer. And you can even have Virtual Machines running within Virtual machines if you want to (but this will require a more powerful laptop 
lalmsxe)an(=mer=ts1>15) F 


Here is a little basic illustration of what Virtualization is: 
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Each Virtual Machine is a sandbox. Remember the reasons for using them are to prevent the following risks: 
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leaked and not the Host Hardware identifiers) 
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access to the Host OS which is not so trivial). 


Mitigate online data leaks by being able to enforce strict network rules on Virtual Machines for accessing the network (such as passing 
through the Tor Network). 


In some environments, your ISPs might be trying to prevent you from accessing Tor. Or accessing Tor openly might be a safety risk. 


In those cases, it might be necessary to use Tor bridges to connect to the Tor network (see Tor Documentation 


https://2019.www.torproject.org/docs/bridges [A'chive.org] and Whonix Documentation https://www.whonix.org/wiki/Bridges [Archive.org]) 
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Browser extension*’~~ while others are running on various servers around the world. Most of those bridges are running some type of 
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Here is the definition from the Tor Browser Manual®22: “obfs4 makes Tor traffic look random and prevents censors from finding bridges by 
Internet scanning. obfs4 bridges are less likely to be blocked than its predecessor, obfs3 bridges’. 


Some of those are called “Meek” bridges and are using a technique called “Domain Fronting” where your Tor client (Tails, Tor Browser, 
Whonix Gateway) will connect to a common CDN used by other services. To a censor, it would appear you are connecting to a normal 
website such as Microsoft.com. See https://gitlab.torproject.org/legacy/trac/-/wikis/doc/meek for more information. 


PANow ol=)emlarclimme(siilaliiolamice)anmiarcyie manual®2°: “meek transports make it look like you are browsing a major web site instead of using Tor. meek- 


azure makes it look like you are using a Microsoft web site”. This is a type of “domain fronting” 524 


Lastly, there are also bridges called Snowflake bridges that rely on users running the snowflake extension in their browser to become 


themselves entry nodes. See https://snowflake.torproject.org/ [Archive.org], 


First, you should proceed with the following checklist to make sure you cannot circumvent Tor Blocking (double-check) and try to use Tor 
Bridges (https://bridges.torproject.org/ Archive.org]). 
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>> (Recommended if hostile/risky environment) Try to get a meek bridge in the Tor connection options (might be your only option if you 
are for instance in China). 


Bridges 
Bridges help you access the Tor Network in places where Tor is blocked. Depending on where you 
are, one bridge may work better than another. Learn More 


“ Use a bridge 


® Select a built-in bridge meek-azure 
Request a bridge from torproject.org Reg tle 
snowflake 


Provide a bridge 


Enter bridge information from a trusted source. 
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>> https://bridges.torproject.org/bridges?transport=meek (for a meek bridge) 
>> https://bridges.torproject.org/bridges?transport=obfs4 (for an obfs4 bridge) 


This website obviously could be blocked/monitored too so you could instead (if you have the ability) ask someone to do this for you if you 
have a trusted contact and some e2e encrypted messaging app. 


Finally, you could also request a bridge request by e-mail to bridges@torproject.org with the subject empty and the body being: “get transport 
obfs4” or “get transport meek”. There is some limitation with this method tho as it is only available from a Gmail e-mail address or Riseup. 


>> See: [A note about Riseup:] Riseup has potentially been compromised. Use it at your own risk. 
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If not, consider Appendix P: Accessing the internet as safely as possible when Tor and VPNs are not an option 


Appendix Y: Installing and using desktop Tor Browser 


Installation: 


This is valid for Windows, Linux, and macOS. 
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>> Open Tor Browser 


Usage and Precautions: 


>> After opening Tor Browser, you will see an option to connect, a checkbox to connect automatically and a button to go into Tor Network 
Settings. The Tor Network settings are there for you to possibly configure Bridges to connect to Tor if you are experiencing issues 
connecting to Tor due to Censorship or Blocking as explained here: Appendix X: Using Tor bridges in hostile environments. 


Connect to Tor 


Tor Browser routes your traffic over the Tor Network, run by thousands of 
volunteers around the world. 


Always connect automatically 


Tor Network Settings 





>> Personally, in the case of censorship or blocking, | would recommend using Meek-Azure bridges if needed. And Snowflake bridges as a 
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Bridges 
Bridges help you access the Tor Network in places where Tor is blocked. Depending on where you 
are, one bridge may work better than another. Learn More 


~ Use a bridge 


® Select a built-in bridge meek-azure ¥ 
Request a bridge from torproject.org Reg obts4 
snowtlake 


Provide a bridge 


Enter bridge information from a trusted source, 


>> At this point, still before connecting, you should click the little shield Icon (upper right, next to the Address bar) and select your Security 
level (see https://tb-manual.torproject.org/security-settings/ A"cMve-org] for details). Basically, there are three. 





>> Standard (the default): 

>> All features are enabled (including JavaScript) 
>> Safer: 

>> JavaScript is disabled on non-HTTPS websites 

>> Some fonts and symbols are disabled 

>> Any media playback is “click to play” (disabled by default) 
>> Safest: 

>> Javascript is disabled everywhere 

==> Some fonts and symbols are disabled 


>> Any media playback is “click to play” (disabled by default) 


Security Level 


Disable certain web features that can be used to attack your security and anonymity. Learn more 


Standard 


All Tor Browser and website features are enabled. 


JavaScript is disabled on non-HITTP% sites. 
some fonts and math symbols are disabled. 


Audio and video (HTMLS media), and WebtsL are click-to-play. 


Safest 
Only allows website features required for static sites and basic services. These changes affect 
images, media, and scripts. 
JavaScript is disabled by default on all sites. 


Some fonts, icons, math symbols, and images are disabled. 


Audio and video (HTMLS media), and WebGL are click-to-play. 


| would recommend the “Safer” level for most cases. The Safest level should only be enabled if you think you are accessing suspicious or 
dangerous websites or if you are extra paranoid. The Safest mode will also most likely break many websites that rely actively on JavaScript. 
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level, | will diverge from some but agree with others (for instance the Tails project and others°2°) and will actually recommend some 
modifications of the default Tor Browser in the addition of two extensions: 





>> uBlock Origin (as it is the case on Tails) while leaving the extension on the default settings: 

>> Head over to https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/ within Tor Browser and install the extension. 
>> Privacy Redirect: This is very practical if you use the “Safest” mode as Invidious instances require no JavaScript. 

>> Head over to https://addons.mozilla.org/en-US/firefox/addon/privacy-redirect/ within Tor Browser and install the extension. 


=> While the settings for Invidious and Nitter instances are random, | would recommend setting them to “nitter.net” for Nitter and 
“yewtu.be” for Invidious. 


Let’s keep in mind that even 3 letters agencies recommend blocking ads for their internal users in order to improve security°2°. 


hiaYZol0 elle alo) Melo m ce) miat-w-lele\U-m ol-1e-Yo)al-lm-lale malo) meovii(eit-lihmactere)atlial:lale-ce me) old(e) al Hm ial-Myo1ic1em (o\V-1 0) a(016] (0 M~101| Melo Meli-10 MY Vila mcvela nlm => ies | 
precautions while using some websites: see Appendix A5: Additional browser precautions with JavaScript enabled. 


Now, you are really done, and you can now surf the web anonymously from your desktop device. 


Appendix Z: Online anonymous payments using 
cryptocurrencies 


There are many services that you might want to use (VPS hosting, mail hosting, domain names...) but require payment of some kind. 
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through the postal services) or Monero which you can buy and use directly and safely. 


But what if the service you want does not accept Monero but does accept a more mainstream cryptocurrency such as Bitcoin (BTC) or 
Ethereum (ETH). 
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cryptocurrencies such as BTC/ETH/LTC, but they are also dangerous as you might end up trading your currency for dirty currency from 
illicit activities. Use Monero to anonymize your crypto. Use a normal KYC-enabled Exchange to buy/sell your Monero (such as Kraken) 
or (at your own risk), use a service like LocalMonero. 


>> Stay away from what are in my opinion risky private/anonymizing wallets such as https://we.incognito.org. Use a safer method 
foe) tf arsvomm ey=1(e) VA 


Reasonably anonymous option: 


Despite this, it is possible to safely anonymize Bitcoin through the use of cryptocurrencies with a focus on untraceability such as Monero 
(XMR) with a few more steps and at a relatively small cost. So, you might be wondering how? Well, it is actually pretty simple: 


1. Purchase Monero at: 
a. a KYC exchange (such as Kraken) 
b. anon-KYC exchange (such as https://bisq.network/) 
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2. Create a Monero wallet on one of your anonymized VMs (for example, on the Whonix Workstation which includes a Monero GUI wallet 
natively or using the Monero GUI wallet from https://www.getmonero.org/downloads/ on other OSes) 


3. Transfer your Monero from the Exchange you bought it from to the wallet on your VM. 


4. On the same VM (for instance again the Whonix Workstation), create a Bitcoin Wallet (again this is provided natively within the Whonix 
Workstation) 


5. From an anonymized browser (such as Tor Browser), use a non-KYC (Know Your Customer) service swapping service (see Appendix 
A8: Crypto Swapping Services without Registration and KYC) and convert your Monero to BTC and transfer those to the BTC Wallet 
WZol0 mm ar his me)amycelelmr-lalelahyanly4sremvAly| 


You should now have an anonymized Bitcoin wallet that can be used for purchasing services that do not accept Monero. You should never 
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Remember those can be traced back to you. 
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Appendix B2: Monero Disclaimer. 


Extra-Paranoid anonymous option: 
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privacy/anonymity-focused cryptocurrency such as Zcash (https://z.cash/ |Archive.org]) 





For example, here are two possibilities: 
1. Buying Monero first option: 


a. Buy Monero (XMR) at either at: 


ur: Bad © A OU Col aT -1 0124-0 ©1004 gE- I @ar-1.<-10 
ii. a non-KYC exchange (such as <https://bisq.network/>) 


iii. from someone on LocalMonero using cash (at your own risk) 


b. Transfer your Monero to your Monero wallet in a secure environment (such as the Monero GUI wallet pre-installed on the Whonix 
workstation or using the Monero GUI wallet from https://www.getmonero.org/downloads/ on other OSes). 


c. Use a swapping service (see Appendix A&8: Crypto Swapping Services without Registration and KYC) to exchange your Monero to a 
Zcash wallet you control in your secure environment (see Appendix AQ: Installing a Zcash wallet). 
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addresses (some exchanges allow this directly). 


1. **Do make sure the wallets are different and change your Tor identity before opening the recipient walle 
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e. Use a swapping service again to exchange your Zcash to Monero/BTC/other (for BTC, use for example the Electrum Wallet on the 
Whonix Workstation). 


f. Use your Monero/BTC/other anonymously. 
2. Buying Zcash first option: 
a. Buy Zcash (see https://z.cash/exchanges/ [Archive.org]) 
b. Transfer your Zcash from the to a VM Zcash Wallet (see Appendix AQ: Installing a Zcash wallet). 


c. Transfer your Zcash from your VM Zcash Wallet to another VM Zcash Wallet using shielded addresses. 


i. **Do make sure the wallets are different and change your Tor identity before opening the recipient walle 
ee §8§6 | 


d. Use a swapping service (see Appendix A8: Crypto Swapping Services without Registration and KYC) to exchange your Zcash to 
Monero at your VM Monero Wallet (such as the Monero GUI wallet pre-installed on the Whonix workstation or using the Monero GUI 
wallet from https://www.getmonero.org/downloads/ on other OSes). 


e. Now either use your Monero directly to buy from merchants OR use a swapping service to swap your Monero to another 
cryptocurrency such as BTC/ETH/Other (for BTC, use for example the Electrum Wallet on the Whonix Workstation). 


f. Use your cryptocurrency anonymously. 


These steps should upgrade from “reasonably anonymous’ to “extra-paranoid anonymous’. Even if Monero is broken in the future. Zcash will 
have to be broken as well. Quite unlikely. 


When using BTC: bonus step for improving your privacy using obfuscation: 


You might want to consider the use of Wasabi (https://wasabiwallet.io/ !4""'ve-0'gl) for your BTC transactions using their “CoinJoin feature”°*’ 
to further cover your tracks. This would mean swapping your Monero for BTC to a Wasabi Wallet instead of a normal Wallet. And then using 
that Wasabi Wallet for your BTC transactions using their CoinJoin feature. 


when converting from BTC to Monero: 
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recommend using the new Monero Atomic Swap Tool: https://unstoppableswap.net/. This will prevent unnecessary fees and intermediates 
when using a commercial swapping service. The website is self-explanatory with detailed instructions for all OSes. 


Appendix Al: Recommended VPS hosting providers 


| will only recommend providers that accept Monero as payment and here is my personal shortlist: 
>> Nijalla https://njal.la/ (my personal favorite but quite expensive, recommended by PrivacyGuides.org. 
>> 1984.is (my second favorite, much less expensive) https://www.1984.is. 
==> To be considered at your own risk (untested): 
>> https://cryptoho.st/ (warning, this might be against their ToS as they require personal identification on registration) 


>> https://www.privex.io/ 





>> (warning, this provider is rather “edgy” and could offend some people) 
Also consider these lists: 
pe (0) i wd £0) (=(01 8 
>> PrivacyGuides.org: 


Lastly, you could pick one (at your own risk) from the list here that does accept Monero: 


Please do read 


If the service does not accept Monero but does accept BTC, consider the following appendix: 


Appendix A2: Guidelines for passwords and passphrases 


My opinion (and the one of many’*?’"s"’9e""P" '9°-"9") is that passphrases are generally better than passwords. So instead of thinking of 
better passwords, forget them altogether and use passphrases instead (when possible). Or just use a password manager with very long 
passwords (such as KeePassXC, the preferred password manager in this guide). 


The well-known shown-below XKCD is still valid despite some people disputing it (See 
Fam (=s-¥un |W [61 1X= me) (0 ale) war-laleM (owr- Ml iu(-me)] Mele] cel-1(-r0mr-lale! 
might be misinterpreted. But generally, it is still valid and a good argument for using passphrases instead of passwords. 


nNoooooooeooo0oc _ ~28 BITS OF ENTROPY || WAS IT TROMBONE? NO 
UNCOMMON ale TROUBADOR. AND ONE OF 
(NON -GIBBERISH) — THE Os WAS A ZERO? 


BASE WORD \ 
Tr@ub4dor R 4 lOCO GUESSES /sec - 
: ty 


Lt ( PLAUSIBLE ATTACK ON A WEAK REMOTE 
o WEB SERVICE. YES, CRACKING A STOLEN 


a 


PS? _COMMON 
“— SUBSTITUTION | 


NUMERAL MASH 16 FASTER, BUT 13 NOT WHAT 
AVERAGE USER SHOULD moeRy ABOUT.) 


DIFFICULTY TO GUESS: DIFFICULTY TO REMEMBER: 


EASY 


~ YL BITS OF ENTROPY 


| | 


correct horse battery stople 


a ; 2" = 55D YEARS AT 
| - 1000 GUESSES/sEC 
FOUR RANDOM ~ 


COMMON WORDS DIFFICULTY To Guess: | | DIFFICULTY To REMEMBER: 
YOUVE ALREADY 
HARD MEMORIZED IT 


THROUGH 20 YEARS OF EFFORT, WE'VE SUCCESSFULLY TRAINED 
EVERYONE TO USE PASSWORDS THAT ARE HARD FOR HUMANS 
To REMEMBER, BUT EASY FoR COMPUTERS To GUESS. 





(Illustration by Randall Munroe, xkcd.com, licensed under CC BY-NC 2.5) 


Here are some recommendations (based on Wikipedia®’): 
>> Long enough to be hard to guess (typically four words is a minimum, five or more is better). 
>> Not a famous quotation from literature, holy books, et cetera. 
>> Hard to guess by intuition—even by someone who knows the user well. 
>> Easy to remember and type accurately. 


>> For better security, any easily memorable encoding at the user’s own level can be applied. 





>> Not reused between sites, applications, and other different sources. 
>> Do not use only “common words’ (like “horse” or “correct”) 


Here is a nice website showing you some examples and guidelines: https://www.useapassphrase.com/ 


Watch this insightful video by Computerphile: https://www.youtube.com/watch?v=3NjQ9b3pgig !!nvidious] 
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you used the same passphrase everywhere. 


You might ask how? Simple: use a password manager such as the recommended KeePassXC. Only remember the passphrase to 
unlock the database and then store everything else in the KeePassXC database. Within KeePassXC you can then create extremely 
long passwords (30+ random characters) for each different service. 


Appendix A3: Search Engines 


WAV ale1 alest=Y=1xe7am=Jale]|al=mem )(e]@llamyel6lmaVAlY sig 
| will not go into too many details. Just pick one from PrivacyGuides.org (https://privacyguides.org/providers/search-engines |Archive.org])_ 
Personally, my favorites are: 
>> https://duckduckgo.com/ (because you can easily use operators such as “!g” to google or “!b” to Bing) 
>> https://www.startpage.com/ 
>> SearxX (https://searx.me/) instances listed here: https://searx.space/ 
Note that some of those have a convenient “.onion” address: 
>> DuckDuckGo: https://duckduckgogg42xjoc72x3sjasowoarfbgcmvfimaftt6twagswzczad.onion/ 


In the end, | am often not satisfied with the results of both those search engines and still end up on Bing or Google. 


Appendix A4: Counteracting Forensic Linguistics 
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Introduction: 


Stylometry is our personal and unique writing style. No matter who you are, you have a unique finger printable, and traceable writing style. 
This has been understood for a while now, and a branch of forensics is built off of this principle: forensic linguistics. In this field, the particular 
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internet by comparing a suspect's text to a Known collection of writer invariant (normally written) texts, and even without comparison texts, 
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What does an adversary look for when examining your writing? 


1. Lexical features: analysis of word choice. 

2. Syntactic features: analysis of writing style, sentence structure, punctuation, and hyphenation. 
3. Structural features: analysis of structure and organization of writing. 

4. Content-specific words: analysis of contextually significant writing such as acronyms. 


5. Idiosyncratic features: analysis of grammatical errors, this is the most important factor to consider because it provides relatively high 
FeYexelu| e=(eavanl a= el tave)mm(elsyalijicer-liceya 


Examples: 
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adversaries such as law enforcement have used Writeprint techniques to help catch and sentence people. Here are some examples: 


>> The OxyMonster case (https://arstechnica.com/tech-policy/2018/06/dark-web-vendor-oxymonster-turns-out-to-be-a-frenchman-with- 
luscious-beard/ [Archive.org]). 


>> Public data revealed that Vallerius (a.k.a OxyMonster) has Instagram and Twitter accounts. Agents compared the writing style of 
“OxyMonster” on the Dream Market forum while in a senior Moderator role to the writing style of Vallerius on his public Instagram 
and Twitter accounts. Agents discovered many similarities in the use of words and punctuation to including the word “cheers;” 
double exclamation marks; frequent use of quotation marks; and intermittent French post. 





Do not use the same writing style for your sensitive activities as for your normal activities. In particular, pay close attention to your use of 
common phrases, and punctuations. Also, as a side note: limit the amount of reference material that an adversary can use as comparison 
text, you do not want to find yourself in trouble because of your political Twitter post, or that Reddit post you made years ago, do you? 


>> Here is another example from the book American Kingpin, about how a DEA agent investigated the writing style of DPR (Dread Pirate 
Roberts a.k.a Ross Ulbricht, founder of the Silk Road Dark Market) from a unique perspective: For one, Ross Ulbricht used the word 
“epic” a lot, which showed that he was likely young. He also used emoji smiley faces in his writing, though he never used a hyphen as 
the nose, writing them as “:)” rather than the old-fashioned “:-)”. Yet the one attribute about Ulbricht that stood out was that rather than 
writing “yes” or “yeah” on the site’s forums, Ulbricht instead always typed “yea”. 


Pay attention to the little things that might add up. If you usually reply with “ok” to people, maybe try to reply with “okay” for your sensitive 
activities. You should NEVER use words or phrases from your sensitive activities (even if they are not in a public post) for normal purposes, 
and vice versa. Ross Ulbricht used “frosty” as the name for his Silk Road servers, and for his YouTube account, which helped convince law 
enforcement that Dread Pirate Roberts was in fact, Ross Ulbricht. 


How to counteract the efforts of your adversary: 


1. Reduce the amount of comparison text for adversaries to compare you with. This goes with having a small online footprint for your 
fate) aanr=lar-\ehUli(osom 


2. Use a word processor (such as LibreWriter) to fix any grammatical/spelling errors that you regularly encounter. 
3. Reduce or change the idioms that you use while conducting sensitive activities. 


4. Understand how your identity affects your writing style: Is your alias younger? Older? More educated? Or less educated? If your identity 
is older, maybe speak in a more JRR Tolkien style of writing. 


5. Pay attention to how your slang and spelling might identify you. If you are from the UK, you should say “maths”, but if you are from the 
US you say “math”. It does not matter how you say “maths”, all that matters is that it can be used to profile you. This also applies to 
slang as many regions each have different and extremely particular slang. You do not ask someone from the USA for a “rubber” and 
expect them to give you an “eraser” as an example. 


6. Pay attention to your use of emoticons and emojis. In the previous example, the DEA agent was able to make a correct assumption that 
Ulbricht was likely young because he did not use a hyphen when making a smiley emoticon. 


7. Pay attention to how you structure your writing. Do you use two spaces after a period? Do you constantly use parenthesis in your 
Wildl ale am Blo MY (elUMUrs\-Mlal> Mey aie) ne mexe)anlant= Wg 


8. Consider what symbols you use in your writing. Do you use €, £ or $? Do you use “dd-mm-yyyy” or “mm-dd-yyyy” for dates? Do you 
use “08:00 pm” or “20:00” for time? 


What different linguistic choices could say about you: 


Emoticons: 


1. Russians for example use “)’ instead of “:-)” or “:)” to express a smiley face. 
2. Scandinavians use “=)” instead of “:-)” or “:)” for a smiley face. 
3. Younger people generally do not use a hyphen in their smiley faces and just use “:)”. 


Structural features: 


1. Two spaces after a period give off the impression that you are quite older because this is how typing was taught to people learning to 
type with typewriters. 


2. |In the US people write numbers out with commas between numbers to the left of the starting number and with periods between 
(alOyanlol=yesm (omsal- Male ]al mem ial>m-)r-lae]acemall]en)el-\ mmm Malic cml amore) aise-l)mcom ale)’ el-re)6)(- meio melUimalelpnle\-/s-me)amial-Ma-s>]me)mial-me)t-lalclm 


US: 1,000.00$ 
Europe: 1.000,00€ 


Spelling slang and symbols: 


1. Obviously, people in different nations use different slang. This is even more pronounced when you use slang that is not as well known 
in other places such as someone from the UK mentioning a “headmaster” when in other nations it is referred to as a “principal”. 


2. Spelling is another important factor that is similar to slang, except it is harder to control. If you want to pretend that you are from the 
URSYAWa LU] mY (olU m= (eUUT-lINVMINoM aM ANUEs)(n-]|t- Mul me)al\ymr=|.<-tome) alm] gato Me) me) 0l>)||[ale Mm ere)(0]0 | mmr- tere) (6) mm Co (=) o1-10)0)(-MU)ale(-le-jr-laremiar-imcve)an(-veall ae SMO) op 


3. Some people also spell words in a particular way that is not regional for example you might spell “ax” as “axe” or vice versa. 


4. Of course, the symbols you use on your keyboard can give a lot of information away, such as £’s or $’s. 
Techniques to prevent writeprinting: 


Here are some techniques in order of use: 
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offline using a word processor: 


Use a word processor such as LibreWriter and use the spelling and grammar checks features to fix mistakes you might have typed. 


Online using an online service: 


If you do nothave a word processor available or don’t want to use one, you can also use an online spelling and grammar checker such as 
(Cie-Tanlant=lanvacealismasvele|inosowr-]amow aat<limr-lalemr-lale-\eerelU|aimert-r-l0(e)a)F 


Translation technique: 


Disclaimer: a study archived here: 
https://web.archive.org/web/20181125133942/https://www.cs.drexel.edu/~sa499/papers/adversarial_stylometry.pdf seems to 
indicate the translation technique is inefficient to prevent stylometry. This step might be useless. 


After being done with spelling and grammar fixes. Use a website or software such as Google Translate (or for a more privacy-friendly version, 
https://simplytranslate.org/) to translate between several different languages before translating back to your original language. These 
i=) atsir= ldo) atom of= (e1,@r-|ale mm e)mva may Vi|mr=1i(=)mnycele| mm agt=sstcr= le [otomr= | Alem parl<omilalel=ieelalaliiare manele-melliiceel |e 


Search and replace: 


Finally, and optionally, add some salt by purposefully adding some mistakes to your messages. 


First decide upon a list of words that you frequently do not misspell, maybe the words “grammatical”, “symbol”, and “pronounced” (this list 
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sense. Instead, use Search and Replace and do this manually for each word. Do not use “Replace All” either and review each change. 
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Next, find a list of words that you commonly use in your writing. Let us say that | love to use contractions when | write, maybe | always use 


words such as: “can’t”, “don’t”, “shouldn’t’, “won’t’, or “let's”. Well, maybe go into LibreWriter and use “Search and Replace” to replace all 
contractions with the full versions of the words (“can’t” > “cannot”, “don’t” > “do not’, “shouldn’t” > “should not”, “won't” > “will not’, “let’s” > “let 
us”). This can make a large difference in your writing and give a difference in how people and most importantly your adversaries perceive 
you. You can change most words to be different, as an example you can change “huge” to “large”. Just make sure these words fit with your 
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your identity is from the UK. For example, you can make use of location-based spelling and lexicon. This is risky, and one mistake can give it 
away. 


First off, you need to decide where you want to give the impression of your location. Here is an example to give off the impression that you 
are from the US, or the UK. First, you will need to understand a thing or two about where your identity is “from”, do not pretend that you are 
from the UK, yet have no idea about it other than it exists. 


After you have decided upon a good location that your identity is from, research the differences in language between the two languages (in 
this case between UK English and US English). Thanks to the internet, this is quite easy, and you can find Wikipedia pages conveniently 
highlighting the regional differences of a language between two nations. Pay attention to how certain words are spelled (“metre” > “meter’) 
and what words are exchanged with each other (“boot” > “trunk”). Now that you have a list of words that can be exchanged with each other, 
and a list of spelling that are different, use the “Search and Replace” in your editor and change the words such as “colour” into “color”, and 
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would make perfect sense in the context of cars. But it would not make any sense in the context of shoes. 


Final advice: 


Understand that you have to constantly think of what you type and how you type while conducting sensitive activities. 


Understand that altering your writing style for such purposes can ultimately change your baseline writing style, ironically making your writing 
traceable over longer periods. 


Proofread yourself at least one time after you are done writing anything to verify you made no mistakes in your process. Trust (yourself) but 
verify anyway. 


Bonus links: 


>> https://www.whonix.org/wiki/Surfing_Posting_Blogging#Stylometry A'en've.org]. WWhonix documentation about stylometry. 


>> https://wikipedia.org/wiki/Forensic_linguistics W'kiless] [Archive.org]. Gives a brief rundown of the basics of forensic linguistics, not too 
alielaaarclinen 


>> https://wikipedia.org/wiki/Writeprint !W'kiless] [Archive.org]. Gives a brief and informative rundown of forensic linguistics applied to internet 
investigations. 





>> https://wikipedia.org/wiki/Stylometry 'kiless] [Archive.org]. Gives a brief overview of Stylometry. 
>> https://wikipedia.org/wiki/Content_similarity_detection Mkiless] [Archive.org]. | would recommend reading this, quite informative. 
>> https://wikipedia.org/wiki/Author_profiling V'kiless] [Archive.org]. Read through this as well if you are interested in this topic. 


>> https://wikipedia.org/wiki/Native-language_identification W'kiless] [Archive.org]. This is less important if you use a translator, but if you do 
(ato)MmUls\-mr- Mie lalci(-1(e)m(omero)anlanlelal(er=ic>Me)amie)a0laalsmiar-lm-lc-malelm|amy{el0] mm ar-leh{omt-lale[er-\e [> mmeve)alcy(e(=) ae] /alemialicw- We [6] (ei, @lx-y-(omialcelele ap 


>> https://wikipedia.org/wiki/Computational_linguistics 'kiless] [Archive.org]. Only read through this if this topic is interesting to you. 


>> https://regmedia.co.uk/2017/09/27/gal_vallerius.pdf 4"cn've-orgl. Explains how authorities used forensic linguistics to help arrest 
OxyMonster (pages 13 — 14). 


>> https://wikipedia.org/wiki/Ted_Kaczynski#After_publication !ikiless] [Archive.org]. jay have an IQ of 167, but he was caught primarily 
based on forensic linguistics. 


>> https://i.blackhat.com/USA-19/Wednesday/us-19-Wixey-Im-Unique-Just-Like- You-Human-Side-Channels-And-Their-Implications-For- 
SYevorU a1 AV- Vale el myahYZ=(01VA oe | i bea aenent DEM =o 0) F-1T atom aol VANZOLU LMU TAItLAYOMINVA<Mer=laM oY-MUTSX-ve MoM (r-(e) @OlU MM Mallolal\vaccleelaalantslaleMccr-lellavemtalcelle]al 
these slides, or watching the accompanying presentation on YouTube. 


>> https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/DEFCON-26-Matt-Wixey-Betrayed-by-the- 
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>> https://i.blackhat.com/us-18/Wed-August-8/us-18-Wixey-Every-ROSE-Has-lIts-Thorn-The-Dark-Art-Of-Remote-Online-Social- 


Engineering. paf !4'ch've-org]. This goes over how to potentially spot deception through the internet, and presents a checklist to see how 
trustworthy someone is. | would advise reading the slides or watching the presentation on YouTube. 


Appendix A5: Additional browser precautions with 
Javascript enabled 


To avoid Browser and User Fingerprinting through JavaScript but while keeping JavaScript enabled, some additional safety measures should 
be observed at least on some websites: 


These recommendations are similar to the ones at the beginning of the guide and especially valid for certain websites. Mostly, the 
recommendation is to use privacy-friendly front-end instances and alternative services for a variety of services: 


>> For YouTube links, use an Invidious instance (https://github.com/iv-org/invidious A’chive.org]) 
>> | recommend https://yewtu.be 
>> For Twitter links, use a Nitter instance (https://github.com/zedeus/nitter [Archive.org]) 
>> | recommend https://nitter.net 
>> For Wikipedia links, use a Wikiless instance (https://codeberg.org/orenom/wikiless A’chive.org]) 
>> For Reddit, use a LibReddit instance (https://github.com/spikecodes/libreddit !Archive.org]) 
>> For Maps, consider using https://www.openstreetmap.org 


>> For Translation, consider using a SimplyTranslate (https://git.sr.ht/~metalune/simplytranslate_web [Archive.org]) at 
https://translate.metalune.xyz/ 


>> For Search Engines use privacy-focused search engines such as: 
>> StartPage: https://www.startpage.com/ 
>> DuckDuckGo: https://duckduckgo.com/ 


>> SearX (https://searx.me/) instances: list available here: https://searx.space/ 


(Optional) Consider the use of the https://github.com/SimonBrazell/privacy-redirect A'cnive.org] extension to automate the use of the above 
services. 


Appendix A6: Mirrors 
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>> Mirror: https://mirror.anonymousplanet-ng.org 
>> IPFS Mirror: https://ipfs.anonymousplanet-ng.org 
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>> Archive.org: https://web.archive.org/web/https://anonymousplanet-ng.org 

>> Archive.today: https://archive.fo/anonymousplanet-ng.org 
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Offline versions (best format for the best readability) of this guide at: 

>> Light Theme PDF: https://anonymousplanet-ng.org/guide.pdf [Mirror] [Archive.org] [Tor Mirror] 

>> Dark Theme PDF: https://anonymousplanet-ng.org/guide-dark.paf [Mirror] [Archive.org] [Tor Mirror] 

>> OpenDocument Text (ODT) version at: https://anonymousplanet-ng.org/guide.odt !Mirror] [Archive.org] [Tor Mirror] 


>> All at CryptPad.fr https://cryptpad.fr/drive/#/2/drive/view/Ughm9CjQJCwB8Blppdtvj5zy4PyE-8Gxn11x9zaqJL!/ 
Appendix A7: Comparing versions 


If you want to compare an older version of the PDF with a newer version, consider these online tools (note that | do not endorse those tools 
in relation to their privacy policies, but it should not matter since these PDFs are public): 


>> https://tools.pdf24.org/en/compare-pdf 
>> https://products.aspose.app/pdf/comparison 
= Pm ail ok /L0le-1it-1e)(-mexe)any(ere) pa) ey-lK> 


If you want to compare the older version of the ODT format with a newer version, use the LibreWriter compare features as explained here: 


https://help.libreoffice.org/7.1/en-US/text/shared/guide/redlining_ doccompare.html [Archive.org] 


Appendix A8: Crypto Swapping Services without Registration 
elale Mn @4e 


General Crypto Swapping: 
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Here is a small list of non-KYC crypto swapping services, remember they all have a cost and fees: 
>> https://sideshift.ai 
>> https://bisq.network/ 
>> https://xchange.me/ 
>> https://swap.lightning-network.ro/ 
>> Kilo Swap (Onion Hidden Service): http://mlyusr6htlxsyc7t2f4z53wdxh3win7q3qpxcrbam6jf38dmua/tnzuyd.onion/coinswap 


Consider having a look at https://kycnot.me/ which is an open-source project listing non-KYC exchanges/swapping services 
'(x:] ofes-yi el aYar-\ malas oc /ecele|:]e\-1aeme)ue lie) (UIt-.avcerace) Mutl:) 


BTC to Monero only: 


Do not use any swapping service, use their Atomic Swap feature. See this Monero Atomic Swap Tool: https://unstoppableswap.net/. 


This will prevent unnecessary fees and intermediates when using a commercial swapping service. The website is self-explanatory with 
detailed instructions for all OSes. 


Appendix A9: Installing a Zcash wallet: 


Remember this should only be done on a secure environment such as VM behind the Whonix Gateway. 
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>> Open a browser 

>> Go to https://packages.debian.org/buster/amd64/libindicator3-7/download and download from a listed mirror. 
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>> Go to the ZecWallet Lite Website to download the latest DEB package https://www.zecwallet.co/#download (change the download 
(ol x=Yoice) Van (OWA are) an(=YA0Ks\-1em ()mmexe)anYc-lali=ale:)) 
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>> **sudo dpkg -i ./libindicator3-7_0.5.0-4 amd64.deb** 
==> **sudo dpkg -i ./libappindicator3-1_0.4.92-7_amd64.deb** 
>> **sudo dpkg -i ./Zecwallet_Lite_ 1.7.5 amd64.deb** 


>> Click the upper left menu, find then launch ZecWallet Lite 


Ubuntu 20.04/21.04/21.10 VM: 


=> Load the Ubuntu VM 

>> Open a browser 

>> Go to the ZecWallet Lite Website to download the latest DEB package https://www.zecwallet.co/#download 
>> Open a Terminal window 
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>> Click the upper left menu, find then launch ZecWallet Lite 


Windows 10 VM: 


==> Load the Windows VM 

>> Open a browser 

>> Go to https://www.zecwallet.co/#download 

==> Download and install the latest Windows installer 


>> Launch ZecWallet Lite 
Whonix Workstation 16 VM: 
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>> Open Tor Browser 

>> Go to https://packages.debian.org/buster/amd64/libindicator3-7/download and download from a listed mirror. 
>> Go to https://packages.debian.org/buster/amd64/libappindicator3-1/download and download from a listed mirror. 


>> Go to the ZecWallet Lite Website to download the latest DEB package https://www.zecwallet.co/#download (change the download 
(ol x=Yoice) aYan (OM Aare) an(=YA0s\-1em ()mmexe)anYiclali= ales) 
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>> **sudo dpkg -i ./libindicator3-7_0.5.0-4 amd64.deb** 
>> **sudo dpkg -i ./libappindicator3-1_@.4.92-7_amd64.deb** 
>> **sudo dpkg -i ./Zecwallet_Lite 1.7.5 amd64.deb** 
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Appendix Bl: Checklist of things to verify before sharing 
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Here is a checklist of things to verify before sharing information to anyone: 
>> Check the files for any metadata: see Removing Metadata from Files/Documents/Pictures 
>> Check the files for anything malicious: see Appendix T: Checking files for malware 
>> Check the files for any watermarking: see Watermarking 
>> Check any writing for possible forensics analysis: see Appendix A4: Counteracting Forensic Linguistics 


>> Have a look at this part of the Whonix documentation: https://www.whonix.org/wiki/Surfing_Posting Blogging#Anonymous_ File Sharing 
TaKeali=melce) 
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and morally). Remember ... Do not be evil. Legal is not necessarily Good. 
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Appendix B2: Monero Disclaimer 


First, please read this small introduction video to Monero: https://www.youtube.com/watch?v=H33ggs7bheM l!nvidious] 


ai at=mr-lale)any2anliavaelin\'s(e)al=ixeme(~)6\-1ale\-me)amitcweayo)(om-1(e(e)aisa)aal-Mmm |imyce16e(OMUl-\-m\V/(6)a(= 150100) 00 M- I .@ AOm =>.Coal-lale(-mam (oll mer-|amel-M-|lanles-imer-lar-llamiar-imele 


EVRCMT ic COLe LNA SIU MUZOLUM fel ai Maree ol lamtar-M (eleven (clanimili(Olx-Wim Volat-lcok-lleroltitalantsw-le-M-\- 1a lie) <a bmnem (tallal @@1UT-Tai(U eam @xelenTolUltlave) MuBYON <-v-vol a 
anljarem tall .@ A@mu-\el6ll-li(e)atcmanl(e|aimce)cex> We) 01-1 = 1€0) cm (=10 [610-1 Oia] 0) (0M => Coral-l ale [1p MoM <-1-] OMYZ010) mull at-laleit=1 i K-\exe) Ke (>We) mm) Om COMM LOMY/-y-lacmr-la(omtal-1M{0)0 p 
therefore, need Monero algorithms to not be broken for the next 10 years as well. 


You may want to watch this insightful video for more details: https://www.youtube.com/watch?v=j02Qol4ZInU |!nvidious] 


Also please consider reading: https://github.com/monero-project/monero/blob/master/docs/ANONYMITY_NETWORKS.mdf#privacy- 
limitations A'chive.org] 


If you feel extra paranoid and want the highest safety level possible, see the Extra-Paranoid anonymous option. 
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Appendix B3: Threat modeling resources 


Here are various threat modeling resources if you want to go deeper in threat modeling. 
>> (My personal favorite) LINDDUN https://Awww.linddun.org/ Archive.org] 
>> STRIDE https://en.wikipedia.org/wiki/STRIDE_%28security%29 [Wikiless] [Archive.org] 
>> PASTA https://versprite.com/tag/pasta-threat-modeling/ [Archive.org] 
And there are quite a few others too, see: 
>> https://insights.sei.cmu.edu/blog/threat-modeling-12-available-methods/ [A’chive.org] 
>> https://www.geeksforgeeks.org/threat-modelling/ [Archive.org] 
bol Umer-l am ilale mre) palomlaliceyelOLeit(e)ame)am tal>\s\>e)amval-t-{-m 0) K0)(-1e1 (op 
>> Threat Modeling Manifesto: https://www.threatmodelingmanifesto.org/ Archive.org] 
>> OWASP: https://cheatsheetseries.owasp.org/cheatsheets/Threat_Modeling_Cheat_Sheet.html Archive.org] 


>> Online Operations Security: https://web.archive.org/web/20210711215728/https://github.com/devbret/online-OPSEC 


References: 


1. English translation of German Telemedia Act https://www.huntonprivacyblog.com/wp- 


content/uploads/sites/28/2016/02/Telemedia_Act__TMA_.paf lArchive.org] Section 13, Article 6, “The service provider must enable the 
use of Telemedia and payment for them to occur anonymously or via a pseudonym where this is technically possible and reasonable. 


The recipient of the service is to be informed about this possibility. “. @ 2 
2. Wikipedia, Real-Name System Germany https://en.wikipedia.org/wiki/Real-name_system#Germany !kiless] [Archive.org] .. +2 
3. Wikipedia, Don’t be evil https://en.wikipedia.org/wiki/Don%27t_be_evil Wikiless] [Archive.org] _, 
4. YouTube, https://www.youtube.com/watch?v=6DGNZnfKYnU l!nvidious] 


5. Wikipedia, OSINT https://en.wikipedia.org/wiki/Open-source_ intelligence 'kiless] [Archive.org] 


6. YouTube Internet Historian Playlist, HWWNDU https://www.youtube.com/playlist?list=PLna1KTNJu3y09Tu70U6yPn28sekaNnhOMY 
[Invidious] .5 


7. Wikipedia, 4chan https://en.wikipedia.org/wiki/4chan [ikiless] [Archive.org] _, 


8. PIA, See this good article on the matter https://www.privateinternetaccess.com/blog/how-does-privacy-differ-from-anonymity-and-why- 


are-both-important/ A'Ch've.org] (disclaimer: this is not an endorsement or recommendation for this commercial service). © 
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